A conference on the rising threat of cyber attacks emphasised the need for businesses to do more than merely comply with rules
AT RSA’S EUROPE conference 2012 in London last week, the information security sector made a case for appropriating the old line about not knowing which 50 per cent of spending is wasted.
In keynotes and executive briefings, RSA executives kept returning to the theme that too many businesses invest in the wrong areas of security. For some, dealing with the issue has simply become a box-ticking exercise that owes more to regulatory compliance than addressing actual threats.
That’s an inadequate response in the face of a growing problem, they said. In the same week as the conference, the Ponemon Institute in the US published figures showing the rate of cyber attacks doubled over the past three years while the cost of incidents rose by 40 per cent.
Misha Glenny, whose book DarkMarket investigated the online criminal underworld, was one of the event’s keynote speakers. He referred to the reported loss by one London-listed company of £800 million last year as a result of a single cyber attack. The cost of cybercrime is “rocketing”, he added, echoing a theme of the conference by saying the focus is on the wrong side of the financial scale.
“We don’t know how much money we’re losing on digital malfeasance; I mean how much we’re actually spending on the problem. There we do have figures – usually spending on high-end digital solutions. This is roughly $100 billion in a year although that is set to double in less than a decade.”
Sam Curry, chief technology officer for the identity and data protection division at RSA, said many security budgets have become “a calcification of previous spend”.
Too much outlay still goes on traditional perimeter defences and commodity products such as antivirus, firewalls and intrusion detection systems. “We need to invert that pyramid,” said Curry.
This spend often occurs because businesses don’t collect the right kind of data to understand if their defences accurately address the risks they really face.
Curry’s words echoed the address that kicked off the three-day event, when RSA’s executive chairman Art Coviello spoke of the “perception versus reality gap” in security investment.
Part of the problem may be that the security sector has “very poor indicators of success”: that was the view of Josh Corman, director of security intelligence at Akamai Technologies. He struck a downbeat tone from the first bars of his keynote: “Are we getting better? The answer is no.” Referring to when the PCI-DSS security standard was introduced, he said: “We started to fear the auditor rather than the attacker.” It’s safer to spend money on compliance than to track whether trade secrets are being compromised, he suggested.
“What we do is like little kids playing soccer – we follow the ball. We focus on the things that are visible instead of the things that are important.”
What’s more, the problem is a moving target because technology is constantly changing – trends such as mobility in the workplace and cloud computing are having a “disruptive influence” that are changing business priorities.
Corman challenged the assembled delegates: “Are you here to do better security or do you just want plausible deniability?”
As attacks grow in number, the range of targets multiplies. Glenny said the net’s very interconnectedness is a source of its insecurity: companies can end up in the firing line because they might be linked to the real target.
“Potential victims of these attacks are no longer just large law enforcement agencies or big corporations . . . in business it’s everybody in the supply chain because of the realisation that there will be interlocking relationships.”
Some become targets because they hold credit card information that cyber criminals can steal to pay for their attacks. Others have weak security that can be exploited to hide the source of their attacks or to host malicious software. The risk of events like RSA is they serve as echo chambers because most delegates already work in security roles and the exercise simply preaches to the converted.
Brian Honan, a Dublin-based security consultant who spoke on a discussion panel at the event and gave a seminar on informing senior management about security risks, said the conference had practical lessons for businesses.
All companies should consider themselves at risk.
“Obviously the impact is greater for some than others, but it’s a threat that we all have to be concerned about,” he said.
“IT needs to be able to present these issues to the board in a way they can understand – to talk in terms of the business impact, or the business benefits. For instance, how can good security let the business engage with cloud computing, and ‘bring your own device to work’ trends. Don’t just look at the negatives,” he said.
The most important lesson from the event is that businesses shouldn’t perceive security as just a technology problem, he said. “It has to be viewed as a threat to your business and not just a threat to your IT.”
Designing better defences: Exploiting our natural sense of trust
SECURITY’S ROLE shouldn’t be to eliminate malicious activity altogether but to work in a broader system that maintains a balance between those who obey the rules and the minority who break them.
All complex ecosystems require cooperation, but those same systems are also home to ‘defectors’ – the game theory term for people outside the system’s rules.
“It could be spammers on email, or thieves in a market,” said Bruce Schneier (pictured above).
Schneier is BT’s chief technology security officer and one of the world’s foremost thinkers on information security. He used his keynote address and press conferences at RSA 2012 to urge delegates to take a wider view of the world than simply building more complex defences.
“In security, we look at the untrustworthy people and it’s actually surprising how rare they are,” he said. “The amount of trust we have in society is actually staggering.”
The ways to induce trust in any connected society are morals, reputation, laws and security systems, all working together, but the rapid rate of technological change makes it hard to balance those elements.
Schneier said attackers use technology faster and aren’t constrained by institutional inertia, so the goal must be to catch up with them.
Technology can help with this; reputation scoring systems such as those used by eBay or Yelp create trust, he added. “We are much better when we look at the entire space instead of just the security systems.
“We will do much better against any types of crime or fraud if we can engage people’s moral systems or reputational systems or get the laws working right – and for everyone else we have the firewalls.”