Computer Weekly, in association with Trend Micro, invited a group of IT security leaders to a roundtable debate in Edinburgh to discuss what issues they were facing in the workplace, as well as how to address the threats.
Guests included information security leaders from Royal Bank of Scotland (RBS) and Tesco Bank through to public sector bodies such as the Forestry Commission and Edinburgh College, as well as e-commerce standards group Origo.
Despite their differing organisations, a number of common themes arose from the discussions and many delegates were facing the same problems, whether their company was big or small, private or public.
Martin Jordan, head of cyber response for KPMG, warned how the landscape was more dangerous now than ever, with new attackers serious about the task at hand.
“Law enforcement is redirecting resources from terrorism to help banks cope with the onslaught, which can’t be a good sign,” he said.
“Unfortunately there are increasing numbers of these criminal gangs, so expect to face more attacks from them.”
The type of attack has changed too, according to Rik Ferguson, vice-president of security research at Trend Micro.
Law enforcement is redirecting resources from terrorism to help banks cope with the onslaught, which can’t be a good sign
Martin Jordan, KPMG
“The biggest shift over recent years, and probably in the public consciousness in the past 18 months to two years, is very much the shift towards targeted attacks,” he said.
“The old threat landscape model was pretty much random – infect as many PCs as possible, take whatever data is available, and there is a direct path between attacker and victim.
"All of that is moving now changing to a targeted attack – be it on an individual, organisation, a company or a group of people that play an online game, but a target. A chosen target.”
So how are these newly-formed gangs of cyber criminals and their means of attack surfacing in the corporate environment?
Ferguson said social networks were still an issue for companies, but unlike many security commentators who focus on the threat posed by Facebook, he believed there was a bigger risk.
“There are definitely tools that criminals use for making very credible attacks from scanning social networks, but if you listen to a lot of security companies, they will spend a lot of time talking about the threat posed by Facebook. Certainly some valuable information does get shared there, but I think what is sadly neglected is LinkedIn,” Rik Ferguson said.
“It is not seen as a social network but as a professional network so it doesn’t count, apparently. But it is just a social network for people looking for a new job.”
Read more from the UK's IT security leaders
- Business skills key to CISO’s survival
- Embedding security: Simply does it, says Channel 4 CISO
- PayPal CISO Michael Barrett bullish on password alternative standard
- Why the cloud is not a security nightmare
- CISO role follows evolution of CIO and CFO
- How the role of CISO must evolve to balance risk and business
- CW500: Why security professionals need to rethink their role
- CW500 Security Club: Matthew Lord, CISO, Steria
- CW 500 Security Club: Gareth Lindahl-Wise, CISO, BAT
Ferguson revealed personal details about roundtable guests, from passions about guitars to the ability to speak Spanish, having conducted just 20 minutes of research on LinkedIn, illustrating how the social network was there for all to see.
“You have to consider what open source intelligence is available about the employees at your company,” he said.
The other exploding trend in businesses is mobile devices. Delegates agreed when Ferguson discussed how the technology was increasingly working its way into offices across the country and poses a significant threat if security is left unchecked.
“Probably the least-protected end-point in all of your businesses, and probably the fastest growing section in your network, is the smartphone,” he said.
“The commonly-used Blackhole exploit kit got a version two rewrite last year and as well as a lot of extra features for defeating security companies, one of the other things it included was collecting statistics for mobile operating systems.
“It may not be supplying exploits yet for Android or iOS, but it notices when someone is using those devices. The next step is to start providing exploits for those systems. That would be an absolute game-changer for the mobile threat landscape, which is exploding anyway."
Using apps as a way into mobile devices is also on the rise. To give an idea of scale, Ferguson said Trend Micro got the numbers “hopelessly wrong” when it predicted that by the end of 2012 there would 130,000 unique malicious apps just for the Android platform. Instead the figure reached 350,000.
Probably the least-protected end-point in all of your businesses, and probably the fastest growing section in your network, is the smartphone
Rik Ferguson, Trend Micro
“At the end of last year, we made a prediction for the end of 2013 and said, in that case, we fully expect to see more than a million malicious apps,” he said.
“Unfortunately, I got a new report two days ago and we are already at 530,000-plus so we are more than halfway there without being halfway through the year. It means a million is looking conservative.”
The human element
But how can IT security leaders tackle these growing issues when businesses themselves are going through a tough time?
A chief information security officer (CISO) from one of the UK’s leading financial institutions said: “We have all got legacy architecture and a limited budget. If we were drawing security systems up from scratch, we could build in all these things but it is difficult to [retro-fit].
“There is also the human element. We need to assume the human can’t spot a malicious email - so there will be compromises.
"They will open email attachments and all the awareness training in the world won’t stop this happening.”
Several delegates agreed that the human element was definitely their biggest challenge.
Neil Heydon-Dumbleton, head of group IT strategy, architecture and governance for the Royal London Group, said: “[You have to worry] when there are staff writing their passwords on the wall. We talk about protection but you have to look at the amount of legacy that is in business.
“We might be concentrating right now on how to keep the cloud secure for example, but we need to look back or those new defences become really pointless.”
Download exclusive premium content on tackling IT security threats
Jamie Gray, principal information development officer at NHS National Services Scotland, agreed that old issues are still giving him headaches.
“Working in the NHS, I have found a lot of the risk is still paper-based,” he said. “In an environment where you have patient records at the end of the beds, there is still a risk there.”
One delegate claimed it was the attitude of staff, with people who just want to get on with their jobs rather than wait and follow policy, which poses the biggest risk.
Others agreed, citing examples of sitting next to business travellers on planes where you could easily read customer data over a shoulder on their iPads, or being on trains where someone logs into their work email on a smartphone with little care for prying eyes.
The consensus was that there is a lack of security culture in some businesses, where operational expediency takes precedence over data protection.
User awareness training
So what is the answer? The key is all in the training, according to the head of ICT security at a financial services company.
“We have to focus on end-user awareness,” he said. “We will never fix the human - we have to look at ways to educate them, train them and try and stop these attacks from working.”
KPMG’s Jordan agreed, comparing cyber crime to other criminal activity where prevention is the best cure.
“There are good statistics from the police that prevention reduces the cost of managing crimes,” Jordan said.
“It is difficult to implement, but there must be budget set aside. You will never stop the attacks coming in, but you may stop employees [falling for them].”
There was mixed opinion of the effectiveness of user awareness training, with some guests saying there will always be those who ignore it or just don’t understand.
However, there was agreement that user education has to be attempted.
We have to focus on end-user awareness. We will never fix the human - we have to look at ways to educate them, train them and try and stop these attacks from working
IT security chief from a financial services company
Ferguson said there should be better communication between the IT department and HR, bringing the need for awareness and staff training around information security to the forefront of everyone’s minds.
“The majority of issues we are facing are people-centric and not just in the sense it is the individual being attacked," he said. "Before you invest in technology, there seems to be a number of things that need to be done that are also people-intensive and people-reliant to ensure the technology works.
“One of the biggest gaps in the corporate environment is between information security and HR. I think those are two departments that only talk when someone is being hired and someone is being fired. There is very little interaction beyond that.
“But looking at all those different areas where the person is the most important part, whether they are being attacked or trying to secure them, there is a lot more that could be achieved by bringing these people together – the functions that manage people and the functions that manage security.”
The threats may be getting bigger, more targeted and hitting more devices and networks than before, but a little common sense and a lot of training may go a long way to negating serious security issues in the enterprise.
“There is no lack of willingness,” said Jordan. “But it is about the effectiveness of getting it done.”