This mornings' SecuritySerious conference kicked off Cyber-Security Month 2016 with a group of information security professionals gathering inside the Department for Culture, Media and Sport building just off Parliament Square in London.
Gathering in room 29, where Winston Churchill gave his VE day address back in 1945, the conference was set to discuss more modern issues such as the upcoming General Data Protection Regulation, employee education and awareness, thinking like a hacker and protecting people from social engineering.
Although the conference could be seen as an admirable cause, as organisers Eskenzi PR claim it is a drive to get UK plc thinking more seriously about security, a number of IT security professionals told SCMagazineUK.com that the conference was mostly “preaching to the converted,” as the conference was mostly attended by seasoned IT security professionals who are very familiar with the issues on the agenda.
Event organisers Eskenzi PR said in a press release, “In this Cyber-Hostile world, it's important for companies to share intelligence and expertise which is what Security Serious Week is all about - renowned experts joining forces to inspire others to become more security savvy. The campaign has the tagline “we take security seriously – do you?” and is designed to inform, reward and inspire people to tackle some of the industry's biggest issues during European Cyber-Security Awareness Month.”
The conference opened with a session named “Coping with the ever changing legal landscape – what does it mean for your security department?” led by Jonathan Armstrong, from Cordrey Compliance.
Armstrong asked the audience to raise their hand when asking, “Who has heard of the GDPR”, to which most of the room raised its hand. His second question for the audience was, “who would say their companies are prepared for the GDPR?” to which only three people raised their hand.
This was followed by Mark Deem, partner of law firm Cooley LLP, pointing out that, “by the time the GDPR will come into power, it will be woefully out of date.”
It was this sort of theme of knowing what's to come, but fighting an uphill battle which unfortunately carried throughout the event.
The recurring issue of security training for employees unfortunately also fell on deaf ears as it was discovered that most of the people in the room were in agreement that we need more security education.
With visible agreeing shaking heads in the room, Vicky Gavin, compliance director, head of business continuity and information security at The Economist Group, boasted of her Post Graduate Certificate of Education and said, “You can't shoot info at people; you have to change their behaviour.”
Both also on the panel, Quentyn Taylor, head of information security for Canon EMEA and Brian Brackenborough, CISO of Channel 4 said that their employees were some of their biggest threats.
Feeling as though employees were put in the firing line a bit too much, Dr Lukasz Olejnik, security and privacy consultant and a researcher at UCL, stood up and challenged the speakers on the reasons why they are “trying to push liability onto employees” instead of “choosing to do great security.”
Controversially, Brackenborough later said, “security awareness can't be taught, either you're born with common sense or not.”
From the audience, Gosia Rybakowska, analyst for the Privacy Security Centre said, “businesses should think more about security by design, not shifting the blame to employees.”
The penultimate and final sessions focused on social engineering. Jenny Radcliffe, a social engineering expert, said she too is “sick of companies shifting blame onto employees”, as it simply looks bad on the company if it is always suspicious of their employees.
Ian Glover, head of the CREST association, spoke of the many ways in which we could prevent insider threats, including swaying people away from cyber-crime by teaching the consequences, promoting transparency in companies, and aiming to provide universally wide education.
Nick Ioannou, head of IT for the Ratcliffe Groves Partnership, a firm of architects, later told SC that he agrees with Radcliffe, saying that, “generally shadow IT issues arise when employees feel as they don't have the tools to do their jobs, and need something quite quickly in order to hit a deadline on time. This is where typically a user might use Dropbox to move files to another computer, if their original computer fails. From my perspective, it's never been something malicious.”
