Industry professionals from a range of verticals joined the SC Roundtable this week to discuss the fate of Dido Harding, or in other words, how to prepare for a breach.
Sponsored by FireEye Mandiant, a giant of the cyber-security industry, the roundtable kicked off with speaker Matt White, a cyber-security professional with 17 years experience in the field, 11 of those were at KPMG.
“If you go back five years” said White “people thought that if you got breached you hadn't bought the software.” That, as so many now keenly feel, is no longer the case. Once JP Morgan got hit last year, an earth-shattering breach in which the data of 83 million accounts was believed to be made off with, “people stood up and accepted it's very likely they're going to get breached.”
But why? In the 1970s, said White “the infrastructure was incredibly complex but easy to manage.” After all, as an administrator you could control every aspect of the network. Once you get to the 1990s, things get more complicated “with the use of laptops, now you've thousands of applications to control.” but “ still, you controlled, you built it, you decided what was running on it.” Come the millennium “you've got millions of devices you've no longer got control over.” While the perimeter was once a known quantity, the reality today is that “anyone with a mobile device is now the perimeter.”
Human behaviour and trust, not technology, is now largely the issue: “Ashley Madison showed just what people were prepared to do if they weren't being watched.” Now people can facilitate a breach or a data leak without even knowing they're doing it.
The mindset that says out-of-the-box software is enough is dead, or should be dead by now. In medicine, said White, they're always developing new antibiotics and cures, but that doesn't mean they stop washing their hands before surgery. The analogy must be applied to cyber-security. JP Morgan had a hygiene programme and “after that stopped they had one of the biggest breaches of the last few years.”
|Matt White, the roundtable's speaker|
That diligence is quite clearly required for planning for a breach. but you can't just write the plan and sit on it; things change. As White said “a plan is like an MOT: it's valid for the day that you write it; you have to update it.”
Nick Iannou, a blogger, author and head of IT at RG Partnership Ltd brought up the subject of plane crashes. In the event of a crash, most airlines have got exactly right what so many in the cyber-security industry have got wrong. In such an event, in addition to their usual role, employees “all had training to deal with the cameras and the press.” Technologists, those best placed to explain what has happened to the authorities, aren't always the best people to tell the public. “You can be brilliant at your job” added Ioannou, “and yet cause more damage when you're in the spotlight.”
Guardedly, White doubled down on Iannou's statement “very few geeks are good in front of people. Stereotypically it's difficult to find a technologist who is good in front of the camera.”
Iain Hunneybell, senior security architect at HMRC, or rather the man who holds the key to the Queen's money, sympathised, “you're trying to give the most honest answer from what you know, but if you're not careful you can get it quite wrong.”
|Monhanjit Gulshan and Chris Powell|
“Media training is a long ruthless process”, said White. When he was at KPMG, 300 people in his department underwent a grueling day of exactly that and “only five passed the complete training to the point where you were actually allowed to sit in front of the camera.” Perhaps the technologists shouldn't be the ones to disclose a breach. Going back to the comparison of plane crashes, White noted, “a plane crash is a technical thing but the person who is reporting on the crash as a PR person, reports on the crash itself.” But “if you can take the best practice of those kinds of people, which we don't do, maybe we can start learning something.”
So what to disclose and how to disclose it? TalkTalk took the line that it should be as open and honest as possible about its unfortunate breach and handled it badly. Others might want to keep their cards close to their chest.
Terry Willis, head of information systems at charity, Age UK, felt that Dido Harding, chief executive of TalkTalk who was so infamously mauled at the hands of Newsnight's Kirsty Wark, after the breach, was worthy of sympathy: “What I thought was she was being really honest about what was going on at the time. But with these things nobody really knows what's going on until a week after. It just caused panic for a lot of people.”
Then again, remember your target when reporting on a breach is not the press, but the consumer. Mohanjit Gulshan, CISO at Mojo Security said “if you have a message to get out via that channel (the media), don't let journalists do the questions; your message is to the end user.”
Thomas Naylor, director of Enablement Ltd thinks that those reporting a breach should “drop the descriptors until you know what happened; then report what you have to legally.”
White wondered “does the consumer genuinely care?” They certainly can be a lethargic bunch. White himself went to buy a phone at the Carphone Warehouse just after their breach, so maybe the details aren't all that important.
Naylor, responded that if customers don't care now “they will start to do that.” Exactly because “you have the risk with regard to identity theft.”
Chris Powell, head of cyber-security at DNV GL, who brought over 15 years sector experience to the table, mentioned that even if the breach doesn't matter to your customers, it might matter to you. Powell recalled an incident where a pen drive was lost containing mostly false data. It was then reported that “a whole lot of personal data had been lost on a pen stick in a car park.” While the data loss was minimal “the reputational damage and the impact was significant”
|Darren Gale, of FireEye Mandiant|
You might not even be the one reporting it, Iannou reminded the room. There's a good chance people “were told about the breach by someone else. Your first call could be a journalist.” 67 percent of breach events are discovered by a third party, “it's the most likely scenario”, agreed Gale.
The conversation led to the issue of cyber-insurance. It's still an immature space, as White mentioned, but becoming more popular as cyber-threats and the costs associated with breaches move closer to the centre of people's minds. Often, mentioned Powell, “there's no actuarial data” to back up the underwriting. While “with houses and cars there are many years of statistics to back that up. There are none for cyber-security.”
Finally, the room addressed one of the biggest problems in preparing for a breach on any CISO's plate; dealing with the boss. The potential costs of a breach are increasingly being recognised by boardrooms and executives, but slower than many would like. Executives might approve larger and larger cyber-security budgets, but they're not taking the time to secure their own computers.
Terry Willis mentioned that Ashley Madison revealed quite a bit: “It never fails to amuse me about how many people at senior level will not fail to use work accounts for 'sporting activities.”
People just don't take their corporate credentials as seriously as they do their personal details. Naylor recommended testing out your staff with fake phishing campaigns, and see how the results surprise you: “You have people who should know better at senior levels, the head of legal, falling for it first time.” That kind of embarrassment “is a form of training and awareness that everyone needs to do. The default position of any person is that I'm smart enough, I won't fall for it.”
These kind of tests plug into that “question of awareness of people being able to test your credibility in ways you are not aware of.”
Like so much else in this industry, all questions, or at least most, come back to the human. Jim Griffiths, CISO for the Kier Group, spoke plainly: “Each breach has shown, that these companies have been breached despite having the best cyber-security in place in place so it goes back to business practices.” We want that element of cynicism said Griffiths: “We cannot get away from looking at the people side of this.”
|Only report what you have to, Tom Naylor|
By the ‘people side of this' we don't just mean inculcating best practice into staff but figuring out motivations in a changing threat landscape for those that might be targeting our ‘crown jewels.' Gale mentioned “if you look at APT groups, historically, they were state sponsored.” That said, Gale assured us that there will be more and they will be more disruptive and destructive over the next 18 months, not by stealthy APT groups, but loud, brash hacktivists that unlike criminals or spies, want to be seen as far and wide as possible.
Like so much else in this industry that supposedly about technology protecting technology, people still lie in the centre of this issue. The roundtable mostly orbited this subject, perhaps to the surprise of some. Matt White, our speaker that morning put it nicely: “the reason we've focused more on people than on technology is that it always comes back to people."