Welcome to this week’s edition of the teissTalk magazine.
teissTalk is a twice weekly web show where a panel of experts in cyber security discuss topical issues with members of the audience.
We send out a review of each week’s episodes of teissTalk in this magazine, to remind audience members of what we discussed and to brief people who couldn’t make the sessions about the main points that were covered.
The magazine has links to the recordings of this week’s teissTalks as well as a list of upcoming panel discussions. We hope you will find it useful and interesting, and we look forward to your participation in a future episode.
This episode examines:
Host: Jenny Radcliffe
On this episode of teissTalk, we look at:
Host: Geoff White
How has the pandemic affected the way that Microsoft has been operating?
With home working we have seen the demand for cloud services and the Teams collaboration platform rise enormously. There is a need to react to that by understanding what is going on in the customer environment. For instance with more remoe collaboration customers are concerned about data controls and the potential for over sharing. So we have extended DLP controls into Teams.
There has been a massive increase in the number of fake domains and fake streaming services since the pandemic struck. Microsoft is one of the most spoofed brands but we took down hundreds of fake sites in over 60 countries. Our digital crime unit works closely with other major platforms to reduce cyber crime, not just by protecting our brand but also be sharing resources and information to fight things like child abuse online.
How was the recent Solar Winds attack different?
First of all we are talking about a Nation State attack. Determination and sophistication were the hallmarks of this attack, taking it to another level; the criminals were well organised and had the right resources. It was also a very successful attack, highly targetted – affecting all five arms of the US military for instance.
It’s been a wake–up call for the industry. We need to be improving services constantly. Companies need to think about how they can get the right updates out quickly, how they can help as many customers as possible; how attacks can be detected quickly. But we also need to be better at going after the perpetrators and we need to work with government to do that.
We shouldn’t get over concerned by the Solar Winds attack though. It wasn’t a destructive attack, or an act of war. It was simply espionage, and very similar to the things that our government and the other 5 eyes governments do on a daily basis.
The difference was that the scale was something we haven’t seen – no one was safe from this because they impacted the supply chain: that’s what was different.
How can we talk about resilience in the face of something so large
The ability to withstand an attack isn’t just about resilience. You need to be proactive – to identify vulnerabilities beyond your own IT infrastructure, in the supply chain.
The company that was attacked initially, FireEye, is a cyber securuty and that has shaken people. The sophistication of hackers is increasing: they work like any good business learning from the past, sharing information, improving their infrastructure. As enterprises we need to realise that we must try to keep up with that, and that everyone from CISOs and the Board down to receptionists has a role to play in keeping the company safe..
The scale was huge – but surely something of this scale was always going to happen?
The criminal gangs are experts and are organised very well. They plan and undertake long term reconnaissance. They proactively look for vulnerabilities in IT systems and the supply chain. We are going head to head with equals. We must accept that.
Is it possible to have full visibility of the supply chain and to manage it for safety?
Performing due diligence is the first step: who are you engaging with, are they performing to your standards, are their systems up to date. And this process needs to be built in to your organisation and continuous. That’s a huge job – but it’s essential. InfoSec must be involved in and new processes and decisions from the start – it’s not an add on. You need to be able to set standards for security and minimum levels of control.
Take acquisitions – which have increased during the pandemic. These take a lot of work to manage because they require you to examine unfamiliar systems.
Managing an extensive supply chain which may extend into hundreds, even millions of suppliers, is very difficult. Even chasing policy statements from suppliers is difficult, letting alone auditing systems. But minimum standards must be baked into contracts. There is an obligation for large companies to help small ones here. The small ones often don’t have the knowledge or resources to be secure so they need to be helped to get the right controls. We need to do this as an industry if we want to have small companies in our supply chains.
How do you improve organisational security?
Motivation and staff wellbeing is important. There is a need for active over–communication – leader to team, people to peers – to ensure everyone feels engaged. Reward and recognition is a big motivator – and recognition is particularly important: it’s harder in a remote world where we can’t stand people up in front of their peers to congratulate them. So we need to think of new ways of recognising people in front of their peers.
Security is a particular concern with a remote workforce. We need t get everyone into the security mindset when they are working from home. We used to have swipe badges and a personal PC and we knew we were working in a secure environment. Now you log onto home systems with a Playstation 5 and a fridge connected alongside your work computer. Security teams need to manage that. Perhaps people have access to more data and services than usual – because there are fewer controls – so they need to be educated and supported to remain safe.
Communication is a big part of doing that. But when people are frightened it’s hard for communications to be effective. So you need to over communicate, not just check in once a week. Get under the surface to see if there are issues that need to be discussed.
Being empathetic is critical. For instance we are seeing an increase in insider threat – not always malicious. People make mistakes because of stress – perhaps because they are home schooling at the same time as working, they download things off the web because they can’t get access to the corporate tools or information they want. So security teams and organisational leaders must be mindful of changes in behaviour and sentiment. And again this involves communication, reassurance and being a good and visible leader.
How can we persuade senior decision makers to take this seriously?
Many do already. But CISOs still need to bang on the door of the Board. Cyber threats are very real and easy to see. But we need to get away from the technical aspect and focus on the commercial aspect. We can think of cyber security as a source of market capital. Customers know the value of their data and they want to be reassured that their data is safe if they share it with a company. If we can persuade them that we keep their data safe that’s a business advantage.
Cyber resilience is another business advantage. We are being asked whether we are resilient when we enter new contracts so security is increasingly a business imperative. Thus even goes down to the level of individual consumers who are becoming more aware of these issues.
Is there a cyber skills gap and if so what can we do to address it?
If people see cyber security in a more commercial light then this may attract people to the industry. There is no shortage of entry level jobs and we need to persuade people toa pply for them. Some of those jobs are highly technical though and it will take longer to train people with technical skills. One major problem is that there is no focus on the necessary people skills in cyber security training: security professionals with people skills and technical skills are very rare – but you will only be resilient if you can manage people.
Cyber security is just a part of the wider and strategic area of enterprise resilience. It must not be put in a separate IT based silo as if we do that we will miss vulnerabilities – it needs to be part of an enterprise–wide function. It needs to be valued appropriately – you won’t be resilient if you don’t have the skills, plans or resource to recover from incidents – and that will affect the share price. We are seeing some change here. For instance it is becoming common for data protection (with all its non–technical areas) to be combined with information security and operational security.
What changes did GDPR make to the way companies handle data
GDPR brought data to the front of people’s minds. They realise that embedding data protection into an organisation’s culture is really important. If you don’t protect people’s data they won’t trust you. And if they don’t trust you then you can’t work with them.
GDPR hasn’t been a massive game changer. If you were doing data protection well before it then the changes you had to make weren’t huge. The rules improved and complying with them was, and is, a step by step process where you improve by increments rather than trying to do everything at once. And things keep changing so you need to carry on with that process.
One thing that GDPR did do was to increase the level of fines that are possible. For instance a 10 million euro fine was issued to Grindr by the Norwegian privacy office. But that will be reduced after negotiation. There is the threat of a 4% of global turnover fine: imposing it would bankrupt many organisations, even large ones, so it is unlikely to be used.
There are many reasons that fines are negotiated down. For instance with Grindr their processes had changed by the time they faces the regulator. That’s going to help. And it’s going to help if you report breaches quickly: if you just sit on them and wait to get caught the regulator won’t look at you very kindly.
The regulator is there to regulate; but they are also there to assist. They are not just there to hit you with a big stick. And in fact in the UK the ICO is generally very helpful. After all they want to see fewer data breaches.
In fact fines are not the worst threat organisations face as a result of data breaches. In the UK, people accepted that Class action were an option after the Morrisons breach. We are seeing tat now with BA. It’s a new environment, a new threat where you can, for instance, claim for mental anguish something that’s very hard to prove or disprove.
Because of class actions, we may start moving more rapidly towards data anonymisation. Organisations will increasingly accept that they need to examine why they collect data, how they collect it and how they use it. For instance, if you are collecting data for statistical purposes you don’t need to collect personal details, so why do it?
What will data management look like in a post Brexit world?
It’s likely that the UK will be given adequacy by the EU. In part this is because we are just out of the EU and the UK’s DPA is basically the GDPR with additions on public bodies and other areas that were derogated to member states. We do have stringent rules on law enforcement and the intelligence community which have been cited by the European Court of Justice as divergent from the way that the EU does things. But lots of trade is dependent on data flows. And because of the amount of trade on both sides of the Channel, we are likely to see an adequacy decision made.
Each organisation will need appropriate safeguards. There should be standard contractual clauses. And we may see more codes of practice, led by business, being developed. At a more fundamental level we will see organisations building their understanding of privacy: up till now many organisations haven’t really understood the lawful basis of their data collection and that have to change. That’s not least because consumers increasingly expect more from privacy. Consumers will start to avoid companies that are lax with data. We may well see a privacy kitemark develop, like the URL padlock.
How do you make a stronger approach to privacy stick in organisations?
An area where there is little research is the attitudes to privacy of employees. Understanding that will help: why do people act differently at work and at home? (The fact that we all work from home these days is making that more significant.) One solution is to make security advice relevant to people’s home and family life. Get people to behave securely at home and they may bring those habits into work.
Another solution is to make sure security is easy to achieve. People will do the quickest and easiest thing to get to what they want: so we need to make sure that security processes don’t erect barriers to people working efficiently.
Regulators have a part to play. But they need to be organised logically. In the USA each state has different rules which makes it difficult. There needs to be federal regulator. In Europe each country has a regulator but there is a supervisory regulator for the whole of Europe. And they are all working to the same set of rules, the GDPR: that makes it easier to manage.
Two things are needed. Security best practice is needed so that all organisations can implement adequate controls, such as Cyber Essentials. And there is a need for netter training: we need to keep communicating and educating – especially younger people who may be cynical about privacy.
Many young people expect their data to be breached. What do you do about that?
Breaches are common – 50% of organisations suffer a data breach in any one. But unfortunately data protection is boring. That’s because we aren’t good at articulating the real benefits. And because privacy is breached all the time people don’t think it is important. The consequences of a data breach are not always obvious to people, or not scary. So there is a laissez faire attitude. And memory is short: if there is a big data breach the share price may dip and customers may leave but within weeks things are back to normal. That is worrying and we need to explain to people that they should be concerned about their privacy.
How is privacy designed into computer products?
We need a set of clear standards for organisations that are producing things. The IoT is an example. There are lots of new productsthat can be connected to the internet being sold. But the standards around privacy for these products are unclear. There is a DCMS Code of Practice; but there isn’t a consistent and accepted way of working across business yet. The government needs to be firmer: legislating is all very well, but it needs to be rigorous enough. Regulators like the ICO also have a role. And so do the largest business who can show the way. Achieving privacy involves changing business behaviour, and we are not there yet.