Threat Management

SC Congress: Cooperation and preparation in the face of cyber-criminality.

Troels Oeting, CISO of  Barclays bank, Tim Lansdale, head of payment security at WorldPay and Bob Tarzey, an analyst for QuoCirca took the main stage at the SC Congress yesterday morning to discuss the future of cyber-criminality and how these three IT professionals police their own assets.

Oeting asks himself a couple of key questions when thinking about who is going to try and scale his walls.

First, who wants to attack Barclays? Well, any number of answers could spring from that question - nation states, terrorists, hacktivists or your plain old cyber-criminal. Then, “what is their intent?  What is it they want from me?” and how are they going to pull that off?.

Switching to his own side, he asks where is he vulnerable and where are all his assets. Such a rigorous examination of both sides gives Oeting an idea of what he might face day to day.

Oeting offered some ideas as to what might be on the horizon. APT actors, “will become even more stealthy in the future and even more targeted.” Insider threats too, will loom large said Oeting citing Tim Cook, Apple's Chief Executive's recent statement that people had offered his employees thousands for their company credentials.

Tim Lansdale is in something of a rare position, “in the cards industry there is a direct link between data breaches and the fraud that occurs off the back of it.”

Over time WorldPay's accuracy has been refined. The e-payment services company apparently used to reject about 50 percent of the alerts it would get from client - “half the time it turned out there wasn't a breach at all.” Now, “if we get an alert in, there probably is a problem.”  While people have gotten better at dealing with breaches, WorldPay's customers had 300 breaches last year, up 200 percent on the previous year, and that number, “it's not going to reduce.”

Bob Tarzey, analyst for QuoCirca brought with him a survey the company had conducted for Trend Micro. It's conclusions were plain - people are accepting more and more that they'll get attacked.

Some 70 percent of organisations, according to Tarzey, now accept that “targeted attacks on their organisation are inevitable.” The number was only 28 percent in 2013.

369 out of the 600 surveyed felt they had already been the subject of a targeted attack. And, Tarzey was quick to point out, that doesn't mean the remaining 231 haven't.

“All is not lost” said Tarzey. There is a flip side to the fact that people are getting attacked more. Often, people are also better defended: “comparatively, UK organizations are more likely to targeted, but less likely to be impacted.”

Lansdale sees a sea change in enterprise security. “We are moving towards a risk-based approach as opposed to a standards approach.”

The good news there is that “industries are going to be able to control their own programmes.” Enterprises will increasingly have to manage their own supply chain.  

Devalue the information that you hold, advised Lansdale. At Worldpay, he mentioned, “we're swapping card numbers with tokens”, and when a breach inevitably does happen, “don't leave it up to the security team”. Nowadays a breach takes legal, human resources and sometimes, public relations to adequately confront.

The problem of cyber-crime, however, needs a community response. Although there are plenty of companies, IT related or not, competing, Oeting thinks, “everyone should fight crime, we can compete in all other areas, but not this.”

He was unapologetic in claiming not only do we need norms of behaviour for the internet but greater international cooperation  in fighting cyber-criminals.  Cyber-crime is not only easy to pull off but difficult to prove and extradite if that key element is missing

But what about cooperation between competing companies for whom disclosure of a breach might mean a significant loss of competitive advantage?

Oeting, for Barclays, has been involved in bringing other large financial institutions into the fold in the cyber-defence alliance. Barclays wants to share with Santander and HSBC. “I know” said Oeting, “that if I'm hacked on a Monday, they'll be hacked on a Tuesday.”  Suggesting that if he shared that attack information, down the line they would do the same.

Lansdale too sees this trend towards greater cooperation, noting,  “We do have working groups within the card industry that are specifically looking at sharing information.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.