Speaking at the conference, Ciaran Martin, CEO of the National Cyber Security Centre, explained even basic security can slow relatively unsophisticated attacks
Ciaran Martin, CEO of the National Cyber Security Centre, speaking at Telegraph Cyber Security
If the world has learnt anything over the last year, it’s the importance of cybersecurity. With a high-profile data breach wiping $350m off of Yahoo’s price tag during its sale to Verizon, Russia’s alleged interference in the US election and the WannaCry ransomware attack causing chaos for the NHS, it’s become clear that no startup can afford to neglect its digital defences. Fortunately, yesterday’s Telegraph Cyber Security conference brought together some of the brightest minds in the cyber space to provide insight and advice for companies looking to fend off attacks.
Unsurprisingly, in light of the staggering impact it had on the NHS and companies around the world, the recent WannaCry attack received considerable attention. “WannaCry was unprecedented in terms of its global scale, its seemingly random targeting and its human impact in the UK,” said Ciaran Martin, CEO of the National Cyber Security Centre, in his opening keynote. “But [in technical terms], it wasn’t unprecedented and wasn’t even terribly sophisticated.” While movies may have convinced the average member of the public that there’s no stopping global cyber attacks, he emphasised that there’s actually plenty your average entrepreneur or civil servant can do to limit the insidious impact malicious software can have. “Frankly, we despair of the Hollywoodisation of cybersecurity,” he said. “If organisations as a whole keep their basic security defences at the right level, the very best people in organisations like mine can go and fix the toughest problems, rather than worry about large-scale but basic vulnerabilities.”
Simple though this sounds, if companies are to ensure they’re adequately defended against even comparatively unsophisticated attacks, it’s vital for CTOs and chief information security officers (CISO) to have the full buy-in of their boards. “What I’ve found in talking to boards is there tends to be a nodding and looking serious, rather than actually an understanding what you’re talking about,” quipped Gail Kent, global public policy manager at Facebook. But given that maximum fines for breaches under the EU’s new General Data Protection Regulation will sit at €20m or 4% of annual worldwide turnover, the quantifiable financial costs of failing to protect company data might get board members to sit up and take notice.
However, Kent also urged firms to think beyond just the financial effects of cybercrime: with 1.97 billion monthly active users, Facebook’s bigger concern is the impact a breach would have on its community as a whole. “It absolutely comes down to reputation and trust,” Kent said. “If anyone managed to access our systems then we’d lose that trust and we’d lose that reputation of keeping people’s data safe.”
The conference also explored the common sources of cyber breaches, highlighting that businesses would do well to worry as much about analogue attacks as fretting about their firewalls. “It’s my experience that most companies don’t take this seriously and because of that there are inherent weaknesses,” said Chris Phillips, member of the board of advisors at the Chartered International Institute for Security and Crisis Management. Phillips recalled a recent meeting with a roomful of chief information security officers where 60% admitted they could still gain access to their previous workplace and 20% said they still had access to the firm's digital systems. “Every one of those companies thought ‘we must take back their passes’ or ‘we must log them off the computer system’,” he said. “But actually in reality it doesn’t happen. I guarantee that your human resources person doesn’t realise [it but] they are the key person responsible for security in your organisation.”
That’s not to say that the technology cybercriminals have at their disposal hasn’t become more sophisticated though. “We seem to be entering a world of super-paranoid computing, where no one machine can be counted on, fingerprints and iris recognition can be copied and [...] voice recognition software can be fooled by family members,” said Cormac Whelan, CEO UK & Ireland at Nokia. “[A] digital Pandora’s box has been opened and something that was never meant to be in the wild is now out of control.”
In light of these threats, Whelan explained that on its own guarding the gates is no longer sufficient: it is also becoming imperative to train machine-learning tools to recognise the behaviour of malware once it has penetrated a network’s defences. “What’s needed is the ability to detect before the damage is done, to monitor the network behind the firewall, inside the perimeter,” he said. “We can [use] the intelligence of the communications networks to self-monitor, self-diagnose and self-heal. We need the system to watch and we need the system to learn.”
Without a doubt, Telegraph Cyber Security provided some great food for thought for any firm looking to fend off digital threats.