We know where you are and we know what you are saying…
Who are we? Anybody who has access to the internet!
All voice communication mechanisms are vulnerable to cyberattack. Your calls can be monitored and your location tracked. The Chaos Communications Congress in Hamburg at the end of December included detailed presentations showing how, given only a mobile phone number, it is possible to track the location of any cell phone and listen in to calls made on that phone.
The Norwegian press reported in December the discovery of cellular network interception equipment near the Norwegian parliament and a number of government offices in Oslo. This equipment, which operates as a fake base station, allows mobile network voice and data calls to be monitored and can be built for as little as $2,000. The Norwegian report is the latest in a number of similar reports. Together these reports demonstrate that cellular networks are not secure. Any organisation should treat these networks in exactly the same way as the Internet. Use them, but ensure that confidential information, voice, video or data, is protected with encryption.
Many listeners held pencils aloft during President Obama’s 2015 State of the Union address, to remember the physical attack in Paris on the offices of Charlie Hebdo, only days before. The President continued, covering ‘cybercrime’ and how no foreign nation or individual hacker should be able to shut down networks or steal trade secrets. Hackers targeted 19,000 French websites soon after the terror attacks and it has been reported that over a period of 15 days (3rd to 18th Jan 2015), a total of 11,342 unique DoS attacks were reported as targeting ‘France’, an average of 708 attacks per day.
While much of the cybercrime the President was referring to, was probably high profile attacks on big business like Target, JPMorgan Chase and Sony, small businesses are far from immune. Cybercrime and cyber spying is estimated to have cost the US economy in the region of $100bn a year and the global economy about $300bn annually. According to PwC, the average cost of a firm’s worst security breach is rising significantly. It estimates that small businesses will suffer breaches costing between £65,000 and £115,000 on average. Large firms will see costs being anything from £600,000 to a staggering £1.15m.
It isn’t just denial of service attacks which causes significant ‘crime’ costs to companies. Penetration attacks to gain confidential information occur too, but here the costs are more difficult to quantify. It goes without saying, they are critical to a company’s commercial viability.
Consider Angela Merkel’s position on 23th Oct 2013, as she conducted a terse conversation with President Obama on a secure landline, about how the US had been monitoring her mobile phone communications for possibly the previous ten years. Who can place a figure on the cost of her mobile phone verbal and text communications being gathered? This is a phone she continues to use today…
Compliance and Human Rights
When compliance is discussed in an IT context, financial sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses, not just the financial sector. Compliance also applies to all forms of business communication, including phone, video and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC), now in use by most businesses.
The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches, no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC services is not compliant if it is not protected against attack.
The frequency with which security breaches continue to occur has lead to new proposals for EU data protection regulation. These include a requirement to report all security breaches within 72 hours. The proposals also establish a public register of all breaches notified. In addition, any breach can result in a fine of up to 5% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation.
It is clearly in a company’s interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General, commented: If you think compliance is expensive, try non compliance.
As a consequence of the November 2008 Cabinet Office Data Handling Review report, all public sector organisations are now mandated to ensure any digital information that is either person identifiable or otherwise sensitive is encrypted. This mandate applies to both the storage of and transfer of any such digitally held information. For example, the NHS is now in the process of ensuring that all phone calls, including video, voicemail and instant messaging are encrypted to appropriate NHS standards.
Chairman – Palo Alto Risk Solutions