Information: The new commodity of choice for the virtual thief
by Adrian Leppard, QPM Ex Commissioner – City of London Police
Cyber security presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.
As the Commissioner of the City of London Police and Chief Executive of an 1100-strong workforce, I am wrestling on a daily basis with a host of conflicting priorities, threats and opportunities. Society and business are moving at such a fast pace that success or failure is inevitably dependent on the ability of organisations and those that run them to adapt and change, more than their ability to conform to established norms.
However, the need to balance risk against threat and opportunity remains a constant. At board level we look for reassurance through a combination of professional advice and established information, whether that is rules and regulations, best practice or the competition.
Cyber security creates a conundrum, as there are so little of the established norms to draw upon. We therefore naturally lean back on what we know in terms of processes and structures. Yet there is a risk in simply allocating the task and responsibility and allowing ourselves to become reassured that all that needs to be done is being done.
This is one of those areas where the corporate hairs on the back of your neck should stand up causing you to ask a lot more questions.
Cyber to most of us means the Internet. Growth opportunities are about maximising the use of IT and the Internet to create more profitable business; therefore risk mitigation in terms of cyber security must be about shoring up our IT infrastructure, or so we assume. Of course protecting against malware intrusion is clearly a key component, but the risk is far greater and needs a more holistic approach centred on the culture of an organisation and its approach to information security.
Clearly the threat is very real, as highlighted by the recent 2013 PricewaterhouseCoopers (PwC) survey of Information Security conducted on behalf of the UK Government’s Department of Business, Innovation and Skills. This identified that:
87% of SMEs and 93% of large corporates had experienced an information security breach in the last year, with losses of each incident averaging between £50k for SMEs and £500k for large corporates.
Scary figures, which unfortunately correlate with the assessment that cyber crime is costing the UK some £27 billion annually and the McAfee sponsored study for the Centre of Strategic Analysis earlier this year, which put global losses between $300 billion and $1 trillion.
The scale and nature of the threat we face is diverse and growing, and unfortunately, as criminals learn their new trade, becoming ever more sophisticated. The cyber threat over the last 12 months is already more refined than two to three years ago. I’m afraid that is the nature of criminality and with society and businesses increasingly going ‘online’, the threat we face increases also.
Investigating cyber threats
City of London Police hosts the UK’s National Fraud Intelligence Bureau, gathering reports of crime and intelligence. More than 70% of reports concerning fraud that we now receive indicate that the crime has been enabled through use of the Internet.
In addition to disseminating reports and helping shape the UK threat assessment, City of London Police, with the help of our industry partners, is using this information proactively to protect our community. Each month we close down more than two thousand websites, bank accounts and telephone accounts used by fraudsters. This is saving UK businesses more than £200m a year.
We also host our own investigations teams working with other agency partners, investigating fraud ranging from corruption and insider trading, and we actively support the new Economic Crime Command of the UK National Crime Agency. Dealing with the cyber threat is a clear priority of the UK Government supported in the form of policy and new investment. Through our work with the National Crime Agency and other partners at home and abroad, we are increasingly gaining a better understanding of the threat and successfully targeting the people responsible both in the UK and overseas.
But it’s not enough.
What we see is a growing problem comprising more sophisticated international organised crime groups targeting individuals and businesses in the UK.
So, what can businesses do to protect themselves?
For that we need to better understand what is happening with these security breaches and cyber attacks. Whilst some of this might fall within the many different collective expressions of cyber, the reality is that a proportion of these criminal losses are simply old-fashioned fraud using emails and online forms in place of documentary processes. What is more interesting is to understand how the wider use of the Internet in society and the manner in which data is stored electronically is enabling the fraudulent access to personal information and how this is then being accessed, stolen and used by criminal groups.
It is the security of information in all its forms which presents one of the key challenges. Personal and commercial information is the new commodity of choice of today’s virtual thief.
A new global market exists where stolen information is traded as a precursor element to commit fraud. Importantly, only a portion of this is being stolen through technical attack of IT systems, the rest is literally walking out the door through the risk posed by the ‘Insider Threat’.
It is happening wherever this information is available, which may include cloud servers or any repository within increasingly sophisticated hardware and fragmented supply chains. Once accessed by the cyber thief, this information is harvested and if necessary refined through open source research and intelligence-led information gathering, using either traditional contact by telephone or email and sometimes further targeted technical attack. However, millions of pounds are also being lost on a weekly basis through compromised account information that has obviously come from a source within apparently secure systems.
Motivations for cyber crime
Cyber Crime, Cyber Warfare, Cyber Terrorism and Hacktivism are expressions often used to describe the motivation rather than the capability of a threat group.
We assume the intention of the attack from the known outcome or what happened as a result of the breach. For example, Hacktivism is widely publicised as its motive is to overtly disrupt and it is inevitably associated with publicity. By the same token criminally motivated attacks are uncovered through fraudulent losses.
However, the real concern for us all should be those infrastructure breaches, which are intended to remain undiscovered. The absence of intelligence or knowledge concerning the nature or existence of the threat does not mean it does not exist.
You see an indication of this through the Reuters Report in August 2013 which highlighted that more than 50% of world securities exchanges have been subject to cyber attacks, mainly through denial of service attacks with increasing levels of sophistication. More importantly, back in 2010 hackers infiltrated the NASDAQ and installed malware which enabled them to spy on the directors of publicly held companies. Within the UK our security services have publicly highlighted similar threats to large corporates following covert cyber attacks aimed at gathering highly sensitive commercial information.
We have to recognise that information is the commodity and we need to protect it, depending on its level of importance. One of the first challenges, therefore, is to properly map the information that your organisation holds, both in terms of how valuable it is to others, as well as your own business, and then also to risk assess how it is stored and accessed.
This isn’t simply about appropriate firewalls and technical infrastructure; it is more about a culture shift towards the management of information with a focus on people, their access and their approach to this information.
The UK Government launched its own National Cyber Security Strategy two years ago and has invested a great deal to help businesses combat the threat, with a number of useful guides being produced. ‘10 Steps to Cyber Security’ and a similar guide for SME businesses are available for download on the Government’s website.
Alongside this there are standards, which an organisation can choose to adopt.
Understanding the maturity of your own security model is the key. Members in the public sector in the UK are following the Information Assurance Maturity Model and Assessment Framework (HMG IAMM), with the majority of private sector members following ISO27001. The British Standards Institute has recently updated its 27001 Standard (from 2005 – 2013) and, due to ongoing interest from companies wishing to protect themselves, has also recently published a fast track Publicly Available Specification (PAS 555:2013 – Cyber Security Risk – Governance and Management) which documents some of the outcome requirements of a protected system.
So, good practice is becoming available, but to get this right requires a shift of approach in terms of governance, starting at the very top. The first is the recognition that the whole organisation has to be involved – every department, every person and every process.
This cannot be converted into an action plan and a series of tick boxes and discharged or delegated to someone else’s responsibility. It will need resourcing and managing carefully and intrusively. The only way for this to be managed effectively is through a series of governance processes that start with the Chief Executive and involvement of the Board.
Effective mapping and risk assessing every repository of information and how it is made available will take time and effort, particularly when this involves complex outsourced supply chains, as will involving staff and raising their awareness; and, most importantly, so will changing the paradigms around information access and its use that have accompanied us from the analogue world.
Success in terms of cyber security is simply this. Your information is secure.
Whilst governance and compliance with known standards are an excellent means of achieving this, it is not in itself the answer. The only way you can be certain your information is secure, is by asking someone to try and steal it. The good news is that there are now Government accredited security testing schemes that can be accessed by private businesses. Good examples of these can be found at www.tigerscheme.org and www.crest-approved.org.
The necessary change in culture involves routine system penetration testing by third parties coupled with intrusive internal surveillance systems, monitoring technical infrastructure and, I’m afraid, monitoring people as well. This is why appropriate measures across what is an enterprise risk will naturally involve the whole organisation. Staff need to understand the change, but better informed will also be best placed to help to close down the risk. All of this is going to involve additional resource.
Protecting your business in terms of cyber security is achievable but not without a significant change taking place.
Adrian Leppard, QPM
Commissioner – City of London Police