Cyber Crime: Do businesses have real solutions to their virtual world threats?

Law firm Pitmans and The Business Magazine gathered sector experts to discover if businesses, organisations, and enterprises are seriously underestimating the scale and seriousness of the cyber risks they face today. It is estimated that cyber crime costs the UK economy £1,000 per second – or £27 billion per year. It’s largely invisible, definitely invasive, and deeply invidious, but is it invincible?  John Burbedge reports the roundtable highlights

Are we aware? Can we afford not to deal with these risks?

Terry Pudwell said there was lack of awareness, but this was rapidly changing. He mentioned recent media coverage on the hacking of IT systems in BAe Systems and Sony. “In this country 2-3 years ago you never saw anything in the public domain about cyber threats, although it’s been US front page news for 10 years.”

“The problem is companies don’t understand the threats, don’t know what they can do, and if it can be done for a reasonable cost.”

Jason Hope: “Businesses read about the potential threats that exist, both internal and external, but they don’t spend appropriately on their security technology because they have not associated a cost point with their data. They don’t always understand the value of the data at risk, or what it may mean to their business if lost.

Pudwell: “If boards think it takes huge amounts of money to do anything, they just sit on their hands. We are moving to a stage of inactivity because of financial fears. Yet there are so many UK technology companies that could help.”

Adam Piper agreed, saying that the £27b UK annual cost of cyber crime needed to be explained. “Let’s personalise that risk, break it down so that businesses can understand it better.”

Philip James: “You have to treat your IP and data as money. What is the point in investing millions of pounds in R&D if you are then going to put it into a paper piggy-bank that someone can get into very easily?”

Steve Smith suggested there was a divide.  “Those businesses who will do something based on box-ticking compliance, and other camps (notably finance and legal) who recognise at board and business levels that they need to secure it.”

Some business sectors still didn’t have a proactive attitude to data and cyber security. Internal IT departments and providers understood the threats, but had problems evaluating the true risks, finding solutions, and presenting a sound business case to gain board support. “Businesses need help as to where to start.”

Admitting cyber threats are a major issue, Steve Smith suggested companies should adopt a bite-sized phased approach. “Understand the most critical areas first. Then address the 10% most critical, and you will probably bring down your overall business risk by 60-70%. Otherwise, you won’t get beyond the overwhelming nature of the perceived problems.”

James: “There’s no exact science on how much to invest in security but there are critical areas of risk than can be improved simply by increasing awareness.” Accepting that ‘Rome was not built in a day’, he said the priority objective should be to develop a Cyber Security Policy, with a co-ordinated implementation plan.

What does a hacker look like?

Steve Smith highlighted that there was now no stereotypical hacker. Age, lifestyle, sex, and social demographics gave no guide. “Only recently we had news of a junior pupil sent home for hacking his school’s computer system.”

The worrying aspect, said Pudwell, was the technology and downloadable software now available to potential hackers.

Piper: “The message is that it is getting easier to do, and we should expect it to become more prevalent.”

Pudwell: “In times of austerity disaffected people outside the organisation with the right technology and knowledge only need to find an unhappy friend inside."

Andrew Peddie asked whether the common belief that some national governments might be involved in cyber espionage was a reality, in the experience of those around the table.

Eryl Smith said the recent Strategic Defence & Security Review had highlighted Cyber Security as once of the highest challenges for national security highlighting the major perpetrators as organised crime, disaffected individuals (and/or employees), rogue organisations (which could include state-sponsored activity) and unscrupulous commercial enterprises (activity such as IP theft). Cyber attacks were generally aimed to be offensive or to steal information for gain.

Hope: “Someone with a mental construct that represents an intent to cause a detrimental event to occur.”

Can hacks help beat the hackers?

Pudwell:  “It’s interesting being at an event hosted by Pitmans and The Business Magazine, because such organisations can help in this greater awareness and understanding. Security software vendors can talk with clients about protecting assets till they are blue in the face, but we have strong vested interests.” American professional services firms not in the cyber security space were increasingly involved in identifying and valuing critical information assets, he noted.  Such independent advice may encourage boards to spend on cyber security.

“The biggest impact might be made by our friends in the media. As soon as they get onto a subject that is interesting and exciting, which this is beginning to be, it becomes front-page news. Sooner or later it will be reputational damage that becomes a driver.  Are you going to do business with someone you have just read the worst about in the daily paper?”

Information security was already becoming a reputational issue in the US and Japan, he noted.

Companies won’t be operating without the basic cyber security minimum, if the media is watchful, he suggested. “The Press could actually help us the most.”

Get it on the agenda!

Eryl Smith said businesses needed to be helped to help themselves. “We should not frighten people. We shouldn’t go overboard about the concerns.  It’s not something that’s going to be resolved overnight, but there are things that can be done now, simply and cheaply, to reduce the risks. 80% of potential cyber attacks can be prevented by basic cyber proctection measures. Part of it, is what is government’s role in signalling intent? And what is the opportunity and responsibility of business to pick up that mantle and move forward?”

Piper said it was matter of getting cyber security onto the national agenda.

Sandy McKenzie: “What we are experiencing is very much a technology shock, which is now becoming a more important long-term agenda item.”  He agreed that there were massive gaps in understanding and this was a global problem because of companies’ inter-connected partnerships and international trading.

“We have to come up with affordable yet capable security systems that will outlive all of us sitting around this table, but if people don’t understand how to use them, what’s the use in having them?

Mike Williams: “It is key that we get this on the agenda, particularly in the SME environment, because just assessing the risk and its potential is the starting point for a better understanding of today’s overall business risk environment.

“Health & Safety now appears on probably every board agenda, because you need to show that you are doing it. Why should that be different from information security?  At least being on the agenda is a prompt to start thinking about making things better.”

Is cyber security in the ‘too hard’ pile?

David Murray noted that SMEs often didn’t have the resources to tackle the scope of cyber threats.

Pudwell: “Some of our biggest companies are world leaders – for example, in aerospace, pharmaceuticals, banking  – and do implement extremely good cyber security. Some of that technology could be implemented very easily and cheaply in the majority of businesses. We should follow Pareto’s 80:20 law: we can deal with a mass of the risk with a small focused effort.”

Williams: “SMEs are often more concerned about the operational impact of using security technologies within their businesses. Today, there is greater awareness of the risks and the technology available to help overcome them, but SMEs don’t feel they can deploy them in an efficient cost-effective way. So, they retrench and settle into inertia.”

Eryl Smith: “Currently, debate, discussion and understanding around cyber is still relatively immature from the business perspective.  It has been highlighted publicly, but too many people in industry are still trying to understand what it all means. It is very difficult to put a value on what the cost is to a business. So, how do you make a robust business case?”

Hope said that in recent research, KPMG’s European head of technology, Tudor Aw, said: “It is concerning that so many business still treat data security as nothing more than a hygiene exercise when it should be elevated to a more strategic concern.”

Jonathan Durrant highlighted that the risk and cost to businesses may not arise simply through technological failings. A company’s greatest assets, its people, may ironically also be its greatest liabilities in the context of cyber. Managing the risk involves making sure that staff understand the risks too and act accordingly. The immaturity in the business community about cyber threats highlighted by Smith was itself a concern. “If we don’t fully understand the importance at board level, then how can we expect our staff to either?”

Eryl Smith queried where SMEs could go to get cyber security help, guidance and best practice advice. The Department for Business, Innovation and Skills was still developing its support, he understood and “it will be a while before they start to promote that widely and generically. It must be difficult currently for an SME to get authoritative advice without turning to individual commercial companies offering their goods and services.”

Rustam Roy suggested a mandatory compliance requirement would help create a market of commoditised advisory services, as had happened in other accreditation schemes. “Right now SMEs don’t know who to go to.”

Is the compliance landscape changing?

“I think it will,” said Eryl Smith. Getting engagement at senior leadership level was a major issue, not least because there were “so many governance issues that a board has to consider.”  He highlighted how health and safety was now firmly on board agendas, but had taken years to get there. “People are saying: ‘It’s not affecting us, we’ll wait until there is a clear reason for doing it’.”

James said the mention of compliance often caused people “to switch off or do the bare minimum”. But if you start to talk about loss of reputation, trust, brand, adverse PR, investors perceptions and effects on an organisation’s ability to secure funding or exit a business, such costs and the risks become easier to justify.”

Eryl Smith noted that in the defence sector, there had been three national strategies focused on cyber threats, “yet all without a clear implementation plan to take us forward. People are still trying to work out the real priorities, what standards need to be put in place".

Should there be specific mandatory standards for sensitive sectors, like the MOD, or a suitable standard across all sectors? “Some very simple measures would dramatically improve the basic resilience of all business and industry.”

Murray queried if it was possible to have one set of security standards for all sectors.

Eryl Smith suggested a layered approach could be devised. “Roll forward four years, and I can see many government public sector contracts where a standard or accreditation process, similar to ISO 27001, will be mandatory for certain forms of government procurement.”

Roy pointed out accreditation was one way of “getting a minimum level of security compliance in place without necessarily scaring people.” It was increasingly common for sector contracts to require Payment Card Industry Data Security Standards (PCI DSS), and this could be extended to other sectors or certain products or services, he suggested.

Pudwell agreed that PCI DSS and ISO 27001 were already accepted, not too difficult to comply with, and at least proved an acknowledgement of the risk involved.

Hello, Mr Director. You may be personally liable.

Pitmans' Peddie highlighted the legal perspective. “Companies need to make their executive board members aware that they may be personally exposed if they don’t get a grip on increasingly identifiable risks. The corporate world needs to move pretty rapidly towards a proper understanding of the significance of this area, otherwise board members could be in the firing line.”

Insurance broker Piper agreed that directors failing in their fiduciary responsibility to look after a company’s assets could themselves be at risk.   “We need to get down to the nitty-gritty, help them to understand what the cyber risk is, how it might impact the achievement of corporate objectives, how they can plan a solution to overcome it.”

Insurance might be part of that solution, he admitted, but although “there has been an uptick in interest, it is an emerging market and not everyone is offering cyber policies. I am sure many directors think they are already covered (by D&O insurance) but if there is no physical damage or bodily injury, there is no trigger, no coverage, and importantly no cover for defending a law suit from a third party".

“I actually think that fear can be a good thing.” D&O liability insurance began to be taken seriously when examples appeared of directors getting hit by lawsuits, explained Piper.

Eryl Smith agreed: “Most people think it won’t happen to them, but the moment the light goes on . . . then, there is an uptake.”

James mentioned moves in the US to insist on improved corporate governance disclosure of a company’s cyber security resilience. This had followed a cyber incident disclosure by Betfair, several months after it had floated. Only a small paragraph in Betfair’s 150-odd page prospectus had alluded to the incident. “There is an increasing onus on businesses to make disclosures and be transparent.” Similarly, in Japan, demonstrating resilience is proven to enable a company to secure more favourable banking products.

Pudwell said his company often advised mid-sized companies to at least, do something now.  “If you end up in court as a company director having not even taken the easily understood and inexpensive minimum steps that are available, you are in big trouble. Not least, your insurance may be invalid, but it’s equivalent to leaving your doors open at home.”

He said companies should take three immediate security steps:

Get your current security externally tested.

Put additional basic security practices in place.

Start recording what goes on in your IT infrastructure. It’s like CCTV in the High Street. If you do need evidence, at least you’ll have it.

“There is technology available to protect you against cyber risks.”

Williams: “The ability to go back and determine exactly what was happening and what someone was doing, is clearly very valuable. The ability to implement security policies and also measures that will help users in their day-to-day jobs adhere to those policies is even more valuable.”

Hope: “Organisations must identify the value of business they wish to undertake and the risks associated with that business, before deciding on justified outlay to sufficiently mitigate those risks. Four questions that should drive a security review:

“What is the threat assessment under which the business operates; what is the organisation’s risk appetite; how can risks be mitigated to an acceptable level; and what level of protection do current controls provide and what is the delta?”

What regulatory risks does the future hold?

James pinpointed proposed changes on the regulatory horizon, which could hit business balance sheets.  Draft changes by the European Commission to the European Data Protection Framework could mean company fines for a serious data breaches may increase from up to £500,000 to 2% of global turnover. “Although there has been criticism of fines as an effective sanction, In terms of getting attention focused on security, this can be a significant, albeit crude, incentive.”

Another proposed legislative shift is that along with the company’s data controller, anyone processing data on behalf of the company may now be liable for prosecution for breaches. This is a paradigm shift in regulatory onus and is likely to have a knock-on effect upon cloud and related data processing supplier business models.

The new regulation is directly applicable, unlike the current 1995 EU Directive, and the ICO’s response to the draft regulation has recommended that it be in force sooner than the conventional two year lead-in, following publication in the official journal, James added.

Pudwell: “I don’t think regulation is going to have as much effect as people think. The only people who get hit by the PCI standard for instance are the mid-sized companies. They don’t stop trading with massive customers over their corporate PCI issues.”

James also highlighted new provisions for reporting requirements, not only to regulators but customers as well. “What’s going to hurt organisations most is not necessarily the fines, but having to tell their customers they have had a breach.”

The Roundtable felt the inclusion of more security policy detailing was likely in annual reports and business prospectus documents, in order to counter data breach class-action law suits.

Make sure you don’t buy a Trojan Horse  . . .

Who the cyber attackers are should not actually be the focus for businesses, suggested Eryl Smith. “Where are a company’s vulnerabilities? That’s what matters. Companies will often put a lot of time and resources into protecting themselves and lose sight of what is just the other side of the boundary.”

He flagged up the risks of M&A, for example. “The acquisition can be the back-door vulnerability. Have you put in the due diligence to understand their security capability?”

Peddie: “In other words you may be acquiring a Trojan Horse.”

Eryl Smith: “Once you have got your own house in order, don’t stop there.”

Murray mentioned the irony of tensions being created by companies aiming to be more open and transparent, while being faced with more and more cyber threats.

McKenzie: “It is not just about separate OEMs and SMEs. Supply chains inevitably interconnect everyone, so it is the responsibility of everyone in the chain to make sure that due diligence is being done.”

Eryl Smith: “We have to accept that we will never get a perfect world, but there’s a lot that can be done very simply and effectively to raise our levels of capability and protection.”

. . . or virtually leave your valuables behind

James mentioned ‘cloud-lockers’ – for short-term virtual data storage. “Recent client security testing of cloud-lockers discovered that previous users had not cleared out all their data from the locker.”  This highlights the need for additional audit rights in relation to security and to carry out adequate due diligence before engaging a virtual provider.

Roy: “In cyber terms the boundaries are often theoretical, so you can’t just concentrate on what you are doing. Systems can be interlinked, data-sharing happens, so it’s not just internal or external threats. You have to consider security as a holistic thing.”

Data-sharing was not only a concern, but an essential weapon against cyber crime, said James. Hackers share their information, but it is important that companies do too to improve their security. “No-one likes washing their dirty linen in public, but how do we incentivise people to do that and share their experience and knowledge?”

Pudwell said sharing within sectors was happening at top corporate levels  – he highlighted major banks – but agreed that wider sharing of collective business knowledge would greatly benefit cyber security.

McKenzie: “The US are years ahead of us in cyber technologies, but when it comes down to international sharing, government laws do restrict them.”

Are you ready, if it happens?

Piper mentioned incident preparedness, crisis management and business continuity. “How ready are businesses if a cyber incident occurs?  Can they handle the impacts of the breach, from the practical to PR issues? If it happens, who deals with it, and how?”

Boards need to have their cyber plans in place, and to have resilience tested them, he added.

Peddie: “Cyber policy and strategy needs to be combined with an implementation plan but it also needs to be combined with a disaster recovery programme.”

Pudwell mentioned the cyber attack on RSA Security last year. The breach led to the IT security vendor overhauling the manufacturing and distribution of its SecurID tokens, resulting in the lengthy process of re-issuing tokens to clients, costing millions of dollars.

“They worked very hard to recover from that and they are still in business. Their handling of the soft side, the PR and communications was important. They admitted the breach fairly early and informed people well about how they were dealing with it. Of course, they were big enough to throw millions of dollars at the problem further down the scale that’s not so possible, and a breach could quite easily be the end of an organisation.”

Hope: “A system breach or attempted infiltration will trigger multiple, apparently unrelated, indicators across and organisation’s security systems. Those feeds need to be combined and correlated to provide a confident alert of a successful attack.

“Only then can response technologies be mobilised to isolate and contain the attack to a local area so that the rest of the network can function without interruption. The problem, once identified, can be remedied quickly and simply by first-line staff or automated if preferred. It’s important that all actions – human or automated – are undertaken in a forensically sound manner, retaining an audit trail throughout in order that a comprehensive impact assessment can be made and used thereafter to support internal HR investigations or litigation.”

Should the Government take the lead?

Durrant suggested that given the risks of not being unable to contain cyber threats which may initially affect only some users, the government may in fact need to take the lead in getting private companies to share their cyber security knowledge for the wider benefit of the wider national or even pan-national security regime.

Eryl Smith indicated that pilot studies were underway aimed at improving information sharing between government agencies and business and between businesses so as to better understand the threat and share best practice. "There are obstacles to be overcome, including commercial and legal issues but it is to be hoped that this will pave the way to increased levels of information sharing and preparedness.”

Another parallel programme on information-sharing is being run by UK technology body Intellect and ADS (Aerospace, Defence, Space trade organisation) under the ‘For Industry, By Industry’ banner, said Smith. This was aimed at encouraging industry to undertake sharing from a bottom-up level.

“I anticipate that over the next six months, the Government will have to signal what leadership it is going to give, what it’s going to require, or mandate, while accepting that there is a timescale of three to four years just to get to ‘good’. There is government recognition that you can’t simply wave a magic wand and everything will be hunky-dory.”

McKenzie thought that, like the media, the Government is a tool that can drive and create awareness but “ultimately if you want people who understand long-term open systems you have to look to industry to drive the architecture, thinking and strategy. After all, it will be building systems that outlive the politicians, who do not have the skillsets and understanding required.”

Things were different in the US where the Government, industries and the private sector operate much closer together than the UK, the Roundtable agreed. “However, don’t automatically assume that what happens in the US is a panacea for the way we should develop policy and strategy in the UK,” warned Eryl Smith.

Pudwell noted that the UK Coalition Government was making progress in its closer involvement with industry, aiming to develop a true ‘UK plc’. “ They are saying: ‘Tell us what we need, how do we raise our game?’ because they do want a home-grown cyber security industry.”

Operational risk or industrial opportunity?

Eryl Smith: “Much as this debate is about the risks of cyber activity, this is also a major economic opportunity for our sector to develop new products and services for export.”

Pudwell revealed that 95% of his company’s revenues already come from worldwide export, including the market-leading cyber security countries such as US, Israel and Japan. One reason for his high level of export business was the mindset of potential UK buyers who tended to purchase from market leaders, he added.

The question remained: Given the technology prowess in the south east, and the Thames Valley in particular, how do we seize that and turn it into a virtue rather a risk?

Is it an innovative industry? asked Murray  “Absolutely!” came the Roundtable reply.

Pudwell: “We have some great universities and colleges here, and our R&D work is as good as anybody’s. GCHQ is world-class and we have some huge advantages, such as government support for R&D through tax benefits.”  Commercial links with universities were becoming increasingly easy to set up.

“Around the world there is also a huge respect for the professional UK way of doing business, and part of that is trust. There is concern that technology from other parts of the world they may have back-doors built in. With UK technology you won’t have that problem."

“We have everything in place to grow a significant industry, and that could be a huge export bonus to the economy.”

James referred to Pudwell’s mention of Reading, Warwick and Cranfield Universities as having excellent cyber research resources. “In particular, Oxford is opening a Cyber Security Centre at the Department of Computer Science on March 26.” This presents an excellent opportunity to develop and position the UK as a pre-eminent expert and exporter of cyber risk products.

Piper added that Lloyds of London was also capable of great solutions in terms of innovative insurance responses to emerging risks.

Hope: “In terms of investing in industry, Prolink are sponsoring the cyber security labs at Coventry University and advising on appropriate course content to ensure that the next wave of graduates becoming cyber security professionals have real-world knowledge.”

Eryl Smith: “Our Government recognises that it hasn’t got the resources and budget, the capability to do this on its own. It needs to prioritise and draw heavily on industry to support it. It is an area where the UK has a burgeoning creative and innovative base, if it can be encouraged and fostered.”

Is foreign ownership a national concern?

Peddie raised the concern that many large companies and infrastructure entities now have private foreign owners.

“The utility sector for example is largely in corporate hands, much of it overseas owned. It’s their responsibility to have their security properly managed. Think about the Armageddon scenario if someone managed to shut down the National Grid. How much of a role is there really for UK government in the protection of our critical national infrastructure security if the ownership lies with the corporate sector?”

McKenzie noted that while such infrastructure threats were very much part of the Tier One security agenda, UK government expenditure for cyber protection (£650m) is minimal compared with the larger Defence budget.

Pudwell: “That should scare us because the US is spending huge sums on researching such infrastructure risks.”

Piper: “One of the troubles is that the Government has other things to do. They are trying to save the economy, for example. We need someone or some body championing this topic.”

McKenzie pointed out that a significant cyber breach could affect the overall economy.

Eryl Smith said the Cabinet Office (responsible for cyber security) was galvanized by the topic but: “Somebody needs to force the pace. At one end of the spectrum the MOD has some very clear security needs, and CPNI is promoting what is required at the other end. We are not going to turn the clock back on foreign ownership of infrastructure, so the role of government, through CPNI, is to co-ordinate knowledge and understanding.”

Information sharing at the highest levels was happening Smith agreed but:  “Industry in general is still struggling to understand what is going on because much of the information on cyber threats is classified.  We need to get a greater degree of two-way sharing of information so that business has a greater awareness of the threats and does more to protect itself.”

Procuring work of national importance

Durrant “The National Security through Technology White Paper confirms the government’s stated principle of adopting ‘open procurement’ in domestic and global markets for the UK’s defence and security requirements. So, how can our Thames Valley companies be best placed in that competitive environment to maximise their opportunities?”

He suggested local companies might secure more work if they concentrate on innovation which provides the ‘technology advantage’ – critically ensuring that the UK stays one-step ahead of the cyber enemy. Or, by focusing on “aspects of security which are of sovereign national interest. In those circumstances perhaps the Government will not be in a position to incline so much to global openness in procurement".

Pudwell suggested the Government should offer smaller procurement opportunities. “The bigger you make the procurement deal, the more you wonder if you can risk going with a smaller provider. So, the purchasers tend to go with a massive well-known player.”  The bigger the deal, the longer was the protracted tendering process, he added.

“If they change to smaller pilot deals (around £50,000 - £100,000), as other countries are doing, they can take the chance of going with a smaller company and getting better, more innovative solutions. That’s why the IT industry consolidates so quickly, because it’s far easier to buy innovation than develop it yourself through R&D. A lot of the cleverest people go to small businesses because they want to have a say, and make a difference.”

Peddie: “The Government is talking the talk, but not yet walking the walk.”

Pudwell: “If the Government buys from a company, that validates it.”

Eryl Smith: “The White Paper clearly creates an expectation that there will be more opportunities for SMEs, but we have a long way to go to change the process, frameworks and the cultures that will allow that to happen.

“I don’t now how they are going to get round the conundrum of wanting to be seen supporting UK industry without falling foul of the current procurement constraints.”

Peddie felt the Bombardier train procurement example might have woken up the Government to be smarter when matters are in the national interest.

How do you support SMEs getting into the procurement supply chain in critical areas? asked Murray.

Do more smaller projects and break down the larger projects so that they don’t come under EU procurement legislation, was one suggestion.

Eryl Smith suggested innovative ways of providing more physical resources and access at a lower cost to SMEs. He exampled the University of Oxford Cyber Security Centre, the opportunity to create new cyber security clusters and the need for more tax and regulatory incentives to encourage their success.

“Faced with some of the hurdles that they have to jump at the moment is it any wonder that SMEs can’t justify taking on the overheads of a major involvement.”

Pudwell said BA Systems Investment in Innovations (i3) programme was “a superb example of how this can be done. They put development funding, but not equity, into innovative organisations. In fact ourselves (Assuria) and Overtis are recipients. We would never have got near the highly classified government projects that we are now involved in, if we had not been providing technology to a Tier One player who then provides the solution. But the great thing is that we can now say our technology is used in that important space".

McKenzie: “It’s important SMEs, particularly R&D companies, retain independence, as they are more able to adjust their business strategy to suit the needs of larger companies in a fast-changing technology environment.”

Williams of Overtis agreed: “Being part of BA’s I3 programme is going to help us to engage in opportunities that we would not otherwise get a sniff at, and frankly it puts us on other people’s radar.”