This article is a recap of some of the main highlights from the SC Congress, held in London on the 10th of February 2016.
The day began with a panel discussion of EU data protection legislation, and what businesses need to do to comply. The panel was made up of four experts: Associate Fellow of Chatham House Emily Taylor; Emma Philpot, the Director of the IASME Consortium; Renate Samson, CEO of Big Brother Watch; and Jeremy King, Director of the PCI Security Standards Council.
The discussion touched on a number of important issues, but largely focused on the disconnect between the public’s right to privacy, and the responsibility of businesses to keep their customers’ data secure. One panel member scathingly described the process of trying to comply with international privacy laws as “fiddly and inconsistent”, and there was general agreement that more dialogue needs to occur at an international level in order to ensure an acceptable level of both compliance and security.
One difference between SC Congress and previous security conferences was a notably increased focus on the consumer being at the core of the issue. Members of the public are gradually becoming more aware of some of the challenges of data security and the difficulties they face when handing over their data, particularly in the wake of large data breaches such as Sony, Walmart and TalkTalk.
In line with this, two quotes that stood out from the initial panel were the following:
Following on from the opening discussion was another panel, moderated by Bob Tarzey, a columnist for various newspapers and tech magazines, and featuring Jamie Saunders, Tim Lansdale and Troels Oerting.
The subject of this conversation was the increasing prevalence of cybercrime, and what organisations can do to protect themselves. One interesting theme that recurred throughout the panel discussion was how much security could be viewed as proportionate or “enough”. With the number of breaches increasing at an unprecedented level, and with attacks coming from a variety of sources, from organised crime to hacktivists, from ransomware to teenage “script kiddies” performing DDoS attacks, it can be difficult for boards of directors to understand exactly how much they should be doing.
One of the things that companies should be more concerned with, according to one panel member, is the vetting of external vendors who are looking after various areas of business. 70% of enterprises reportedly enter into contracts with external vendors without conducting proper security checks, and often these vendors can be handling – or at least have access to – potentially very sensitive customer data.
Standardisation across businesses would of course bring a certain level of increased security to the table; the problems being how to decide standards, and which cut-off points should exist based on business size. Smaller organisations will not have as much budget to spend on security measures as larger companies, but when the latter are contracting out various business processes to SMEs, it is important to keep the potential security implications in mind.
Following on from the opening panels, there were a series of sponsored sessions which took place concurrently in the three theatres. Kalle Jääskeläinen from SSH Communications Security continued the theme of the previous panel discussion, talking about how companies can monitor and audit the access their third-party vendors have to their systems. Jääskeläinen spoke about how encryption is an excellent security measure in some ways, but how it can also make it difficult to work out where a potential insider or vendor threat might be coming from.
Nick Colin from Centrify spoke in the second theatre, helping people to understand how to secure their companies against cyber threats at a high level, by customising user privileges and identities to make sure that any potential threats can be quickly found and quashed.
Of course, insider threats do still exist, even in the most secure of organisations. With that in mind, Dietrich Benjes from Varonis spoke about how to spot insider threats before they reach a point of no return. By using behaviour analytics on internal systems, it is often possible to predict where a potential threat might come from, and thus stop it from turning into a large security breach.
Following a short break, there was a keynote speech over lunch – an unusual way of doing things, which involved conference attendees being given a “packed lunch” in a paper bag and encouraged to take this into the main hall to hear Ken Munro speak about the Internet of Things and its implications for security.
Munro is an excellent speaker and his demonstration of various IoT-related security issues was both entertaining and informative. From children’s dolls and teddy bears, through to vehicle security, via wifi kettles and coffee-makers, Munro showed the SC Congress audience just how much data each of our wifi connected devices can give away, and how easy they can be to breach.
Following lunch was the third session, catchily titled ‘Armageddon on the Horizon’. This session looked at the various potential threats to critical infrastructure around the world, from SCADA systems generally to specific examples in transport, power, communications and the like. The session mainly covered topics that are widely discussed at most security conferences: namely, the potential implications of large-scale data breaches and whether it is merely a matter of time before we encounter one.
The panel also went over some of the legal implications of ‘Armgeddon’-type breaches, and made some recommendations for how to reduce the risk of such threats. One interesting comment that cropped up was that standards, whilst necessary for security, are also useful for criminals; all they need to do is find out what the standards are in order to work out a way to bypass them. The potential implications of this problem were also discussed.
Following the panel were three further sponsored sessions. Ian Wells from Entrust Datacard asked whether it is possible to strike a balance between mobility and security in business, drawing on several elements of corporate life from building access cards to approving workflows.
Jason Macy from Forum Systems spoke about how traditional cybersecurity methods fall short of securing cloud- and mobile-based data in Theatre 2, while in the third room Rami Essaid from Distil Networks talked about how difficult it is for businesses to keep up to date with the ever-evolving nature of web applications and IT systems. Making the point that what is secure now is definitely not going to be secure in three years’ time, Essaid underlined the importance of an agile security team who are able to react to new trends as they happen.
Following the sponsored sessions was another panel, this time discussing how to react to a breach, and how organisations can ensure that they are breach-ready using simulations and real-world learning examples. The role of cyber insurance was also discussed, and this provoked a number of questions from the audience, particularly concerning whether cyber insurance “add-ons” are worth the cost, and where the responsibility lies for various different types of breach.
Breach containment was the subject of one of the next sponsored sessions, led by Paul German from Certes Networks. German spoke about the concept of the “data breach blindspot”; in other words, finding the places where hackers can move between departments and containing breaches as much as possible.
Rui Melo Biscaia from Watchful Software spoke about some of the challenges of securing data in an age of BYOD, cloud environments, and flexible working policies. Biscaia discussed some of the strategies that companies need to understand and implement, whilst still allowing their organisations to move forward and do business in an ever-changing world.
Justin Coker from Skybox Security was in Theatre 3, discussing how to analyse indicators of exposure and use these to predict where the most likely attacks will occur. Coker also highlighted the importance of an overall level of awareness of a business’ cybersecurity needs, from boardroom executives to administrators, and how this can help the CISO to prevent and react to potential threats more effectively.
The closing keynote of the day was a panel discussion regarding the skill sets that are required in the cybersecurity arena, and where companies can find the kinds of people they need to keep themselves secure and investigate potential problems. The following quote provided some fuel for discussion among the audience:
The panel were also asked whether they see a lack of diversity in fields related to computer science, and what can be done to combat this. Ian Glover from CREST spoke passionately about the need for increased diversity in the business, and the importance of initiatives in schools and colleges to encourage all young people to get into STEM subjects.
The next SC Congress will take place in Amsterdam on the 19th of April 2016. Anyone interested in attending should consult the official website for details.