This article is a recap of some of the main highlights from the FT Cyber Security Summit, which took place in London on Tuesday the 22nd of September 2015.
The day began with a keynote speech from Ed Vaizey MP, the UK Minister of State for Culture and the Digital Economy. Vaizey recapped some of the main things EU governments are doing to make cyberspace safer, praising the UK as a “pioneer of the digital age”. He discussed the Cyber Essentials scheme, through which the government helps businesses to create their own cyber security strategies, and also encouraged uptake of an initiative in which business owners can receive free training in cyber security.
The common belief that business owners must choose between either using the latest technology or having a good level of security was also discussed. A balance must be drawn between businesses wanting friction-free processes when engaging consumers, and protecting the security of both the business itself and its customers.
A panel discussion followed, in which representatives from WISeKey, the European Union Agency for Network and Information Security (ENISA), Decooda, and Pearson all talked about ways to develop a more effective corporate cyber security strategy.
It was agreed by all panelists that 100% prevention of security incidents is not possible, however with the right plans in place, the risks can be minimised. These plans should include: (1) a cyber security strategy; (2) a crisis plan; and (3) communication on an ongoing basis across a company.
The challenges with moving cyber security from the IT department into the boardroom were also a matter of debate. It was generally agreed that cyber security should come to be regarded as part of an overall risk management strategy, and treated accordingly in terms of budget.
It is also important for board members to properly understand the risks involved, one panel member pointed out. There are various ways to do this: one of the simplest is to demonstrate how organised cybercrime is, by taking the Dark Web into boardrooms and showing board members the kinds of threats to which their companies can fall prey.
Cloud security was the next subject of discussion, presented by Paul Nicholas, the Senior Director of Global Security Strategy and Diplomacy at Microsoft. Nicholas pointed out that one of the main challenges with cloud security is that the concept of ‘cloud’ is difficult to comprehend, especially for people who are not technically-minded.
One particular take-away from Nicholas’ presentation was the idea that a business’ ability to reinvent itself in a crisis will predict its ability to survive in the future. Education, awareness and leveraging available tools should all play a part in cloud security.
What role should the CEO play in cyber security strategy, and how does this relate to the reality of the situation? Kevin Mandia, President of FireEye, discussed this question in an interview with Hannah Kuchler from the Financial Times.
Mandia talked at length about how cyber attacks are perceived and how they should be dealt with, using the example of how a fourteen-year-old who hacks into a company’s systems would be tried under the same legislation as would Navy SEALs, if they had been the ones to break in. Mandia also highlighted how public opinion about data breaches is not necessarily in line with opinions about other crimes against businesses; if a business falls victim to a cyber attack, it is often assumed that the business owners are irresponsible, rather than simply being seen as the victims of a crime.
The question of many CEOs not properly understanding what the cyber security risks for their business actually are was also addressed. Mandia recommended asking three questions to streamline the cyber security decision-making process in the boardroom:
1. Will we detect a breach? If so, how?
2. What is the worst-case scenario if a breach occurs?
3. Who would need to be notified, and how would we notify them?
Another panel discussion followed, with representatives from the Post Office, Telecom Italia and Vodafone talking about cyber security in the communications sector.
It was agreed by all panelists that the biggest cyber threat in terms of profile would be a threat to the security of customer data. There are measures in place to prevent this, but it is difficult to strike a balance between planning for future attacks and still allowing a seamless consumer experience.
The Internet of Things was also discussed in this panel, with the concept of standardisation playing a strong role. Standardising each type of item, as well as how they present on the network, would facilitate investigators’ jobs.
There is a difference between cyber security strategies in sectors that are regulated versus those that are not, and this was the subject of discussion in the following panel, which included speakers from Elsevier, Heathrow Airport Holdings and Deutsche Bahn.
One of the most challenging aspects of regulation is getting regulators to speak to each other. Industry can agree to work with regulators, but a lot of conversations around people and processes are necessary, and this can slow progress.
Once again, the concept of taking IT into the boardroom was brought up, with panel members recommending building a general culture of cyber security in companies. One of the best ways to help the board to understand the importance of cyber security measures is to talk about it in terms of overall organisational performance.
Graham Wright from the National Grid then presented a case study of the company’s security strategy, including how they identify the nature and scale of potential threats across all their different countries of operation.
A particular challenge in recent years has been that frequently employees are unaware that an item they are replacing may pose a cyber threat. In the past, it was possible to replace one valve with another, without any concerns beyond whether the part worked and had been fitted correctly. Now everything comes with some sort of software installed, and engineers may not realise this or understand the scale of threat it can pose.
The afternoon’s sessions began with a panel discussion of cyber security in the financial sector. Four key objectives for banks were discussed:
1. A framework that adequately addresses cyber risk;
2. A platform exchange of information and best practices;
3. Raising awareness;
4. Fostering cooperation and partnership with law enforcement agencies.
It is especially the case with institutions that hold large amounts of highly sensitive data, such as banks, that a cyber threat will generally not just have one element. DDoS attacks are combined with fraud attacks, which make them harder to manage as the IT departments are fire-fighting the more obvious attack when they perhaps should be concentrating on another.
Financial institutions should share data regarding the kinds of attacks they have faced and how they have dealt with them. This is not an area where companies should be competitive, but rather should work together to reduce the potential threat to their users.
David Palmer from Darktrace then took to the stage to present the current cyber threat landscape. Threats come from all sorts of agents, from organised groups to lone hacktivists or disgruntled employees. It is worth noting, however, that some criminal gangs are bigger and have better resources than some nation states, so threats from these areas should not be treated lightly.
Palmer predicted an increasing trend in hackers who disagree with companies, as well as from internal malicious employees. It is not difficult to posit the idea of a trusted employee taking your company down completely and stopping it from ever operating again.
The presentation involved techniques for computer analysis and verification to improve security. Philippa Gardner from Imperial College London’s Department of Computing spoke about how traditional methods for handling modern software are inadequate, and recommended a greater overall understanding of computer software as the main way to correct actual and potential weaknesses and ultimately enhance cyber security.
“Defend, detect, bounce back” was the mantra of the following presentation, in which Matt Lewis from NCC Group spoke about cyber resilience as a measure of cyber security maturity. Lewis pointed out that conventional risk management involves quantifying risks through audits and security testing; something which does not completely translate to cyberspace. He discussed the importance of organisations detecting, responding to and recovering from cyber incidents as part of a normal business routine, defining resilience as an ongoing process.
Jaya Baloo from KPN Telecom then presented some thoughts around encryption technology, and the challenges associated with law enforcement agencies such as GCHQ and the NSA wanting to possess total information awareness. Post-quantum encryption is on its way, and both businesses and individuals need to be ready for this. Baloo ended her discussion with a maxim for life:
“Live well. Laugh often. Encrypt absolutely everything.”
Sorin Ducaru from NATO was then interviewed on stage by Sam Jones, the FT’s Defence and Security Editor. Ducaru spoke about current threats coming from Russia, China and ISIS, and how much damage they can potentially inflict on NATO and its members.
The day concluded with a keynote address from Ciaran Martin, the Director General for Government and Industry Cyber Security at GCHQ. Martin highlighted the need for private and public sectors to work together in the face of common cyber threats.
The next Cyber Security Summit will be held in Washington, DC on the 16th of March 2016. Anyone interested in attending should consult the official website for details.