Cybercrime is costing British businesses £34 billion per year, including £18bn in lost revenue, according to the Centre for Economics and Business Research. But it appears that the majority of British businesses have yet to take cybercrime seriously, even given the threat of EU legislation which could involve huge fines for beaches. This was the subject of a roundtable discussion by a panel of leading cybersecurity experts, convened by Super North in the offices of Deloitte in Manchester.It was a fitting venue in light of the recent report, Consumer data under attack, which contains the warning that one-third of consumers would now close their account or stop dealing with a business following a breach. The report also insists that it is ‘no longer just an IT issue' and boards need to take note of consumers’ awareness and cynicism about how their data is used. Building the right cyber strategy, with transparency at the heart, could lead to gaining competitive advantage. The roundtable discussion panel included two Deloitte experts in cybersecurity: Richard Covell, who heads up the forensic team, and Umair Ahmed of the risk advisory team, who has been monitoring large transactions for the last 15 years. They were joined by Dr Ali Dehghantanha, a lecturer in cybersecurity at Salford University and Paul Vlissidis, technical director of NCC Group.
The gathering was chaired by Alasdair Nimmo of Super North, who set the scene by pointing out that everyone was now a victim of cybercrime in some form or other. This brought an immediate and strong reaction from Mr Vlissidis, who insisted that if the issue was not in the top three for directors then “they shouldn’t be in post”. He was supported in this by Dr Dehghantanha, who said it simply didn’t make sense if cyber health was not being reported to a company’s board. Mr. Ahmed added that his team was finding that 79 per cent of boards do not hear about cybercrime. “There is a huge gap,” he said. “Organisations now simply don’t have that visibility”.
Mr Nimmo questioned whether this was because people who make decisions are not necessarily the ones who see details of what is actually happening. Mr Covell argued that cybersecurity can only work if it comes from the top down and then becomes “pervasive across the organisation,” and added that “if you look at the potential damage it can cause, it should be in the top issues always addressed”.
Paul Vlissidis told the panel that part of the problem lay in people regarding cybersecurity as equivalent to having a fire in the building. “When it happens and they have to face the music, they will realise just what is involved” he said. “They simply need more skills in how to handle this.”
Dr Dehghantanha, however, sounded a more optimistic note when reporting that his university was receiving more requests for specialised training. “I am seeing an increased appetite to come and learn,” he said. “What is surprising is the current lack of knowledge and skill out there when there are regulations coming from the EU, with fines of possibly 5 per cent of their income if they are not considering cyber risk.”
The discussion then moved on to consider malware. “It’s the tool of choice for cybercriminals,” Mr Vlissidis said. “They can custom-build it so is it unrecognisable and when used with phishing it can be devastating.” Of course there is also the threat from the “rogue insider”, which the panel agrees did not have to be malicious but which could come about because of poor controls around the ever-increasing amount of data held on personal devices which are taken home. This, in turn, is often the route of access for cybercriminals.
“Wherever there is a gap, a weakness, this will prove an entry point for cyber-criminals,” Mr Vlissidis said, “and mobile phones and tables have made a difficult scenario significantly worse in terms of security. We run regular phishing projects to test our clients, and the people who click through the links we provide and who do not have the suspicion or awareness to spot a good email from a bad one is a tragedy.” He went on to warn that things will only get worse as people move increasingly toward the Cloud, or to a mobile workforce.
Cybersecurity training across the whole organisation was the only solution to the problem, “difficult or impossible as it may seem”, according to Umair Ahmed. He added that the only other option was that the control to deal with a cyberattack should be handed to “a higher organisations” – but he wondered whether companies could deal with this. “Probably not” was his conclusion.
Mr Nimmo then posed the question: if companies cannot be guaranteed 100 per cent security then what can they do by way of protection?
“I would say in terms of protecting your online presences,” Mr Vlissidis replied, “you have to understand what your online presence is, how they are connected both directly and through service providers. If you look at targeted attacks, they were breached because of a contractor who had information. That’s a documented situation. It’s about every way in which you interact with the internet. If you are targeted, the cybercriminals will do an excellent job of scoping you out. It has to start with threat assessment, what data you have and what controls you have around that data to protect it which is something people are frightened of. They’ll have to get over that – and again, encryption isn’t a silver bullet. There are holes there that need to be plugged. It’s about monitoring people and putting technologies in place to pick up the point of when you get attacked. You need an appropriate response to contain the loss, hopefully to zero. You need a mature response.”
Dr. Dehghantanha suggested that companies should assess the value of the data they hold and then prioritise their security accordingly. Mr Covell went further, suggesting that companies should dispose of anything they do not need to keep. “Look after the crown jewels” he said “but get rid of the extraneous information”.
But serious as the situation is, the chairman asked, does it really warrant being described as a cyber war? Mr Vlissidis expressed reservations about the terminology. “I worry about characterising it as a war” he said. “It gets you into a certain way of thinking, of having bigger weapons and companies being bombed. If it is a war, it’s like the war against poverty and disease: we can do things to alleviate it, but can we win?
To find out more on the discussion and read further articles from the Super North Innovation edition, visit Deloitte’s Northern Powerhouse | Blog