Improving the response to cyber crime
President Obama in his January annual state of the union speech stated that “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids.”
Then in April, President Obama declared foreign cyber threats a “national emergency” and gave the government new powers to target significant cyber threats that affect critical infrastructure or steal trade secrets and financial information, such as credit card data. As the politicians and the media continue to report cyber crime incidents in an alarmist way it is incumbent on companies and governments to adopt technologies and work practices that reduce and manage the risk from cyber crime.
The underlying intent is nothing new: crime, industrial espionage, state espionage, political and social pressure, disaffected individuals, terrorism, state tension and state warfare are as old as the hills. It is the medium through which it is conducted that is different. The exploitation of the on- and off-line digital infrastructure on which people, industry and states rely is now the medium of choice for those with malicious intent.
Cyber crime attacks bring with them fundamental differences in risk management. The speed, scale and geographical reach (and the relative impunity) with which such activities can be carried out transcends that possible in the physical world; so the number of potential victims is far greater and the entry barrier for those with malicious intent has dropped (in that far more people are happy to carry out on-line criminal activity than they are in the real world).
Risk management
While much is legitimately said about the “Cyber skills gap”, less is said about the improving the Cyber knowledge gap. Risk management decisions and associated investment decisions are made at the Board level. Therefore Boards need to understand, in pure business terms, what an old threat in a new digital environment looks like.
Similarly there is the need to educate existing IT and engineering staff as to what the threat vector looks like and how it manifests itself. They need to upgrade their systems and maintain them in a way that results in secure usability and availability. It is also essential to increase the knowledge within a workforce so that they carry out their functions fully cognisant of the modern day cyber security risks; in the same way that they accommodate physical security considerations.
Normalising the risk management to this modern day threat is not optional. There are leading UK organisations that have the experience to reduce that knowledge gap, and to place organisations in a stronger, more confident position to run their businesses and departments managing the risk proportionately and balancing investment accordingly.
There are also UK companies that provide the technology to counter cyber attacks and meet the growing regulatory and compliance requirements.
Compliance and Secure Unified Communication Services
In December 2014, ENISA published a set of recommendations for security communication services. These recommendations were produced as a result of recent changes in European Union directives and regulations. These changes have been adopted as law by most EU member states. The ENISA directives specifically include Unified Communication (UC) services (voice and other real-time applications) over a range of network types including 3G/4G and VoIP networks. The ENISA recommendations include measures for the protection of personal data, measures for network access control and measures for ensuring the ability to securely monitor communications. Fortunately, the industry is starting to recognise the problem and a number of UK based companies offer solutions.
Network access control, particularly on WiFi networks, is the first challenge. Many WiFi users are familiar with the need to provide authentication on public WiFi networks and the challenge of remembering the details for multiple networks. A bigger challenge is managing WiFi access on corporate networks, particularly when an organisation spans multiple locations. There are technologies which solve this problem by providing managed access across public and private networks. With this technology you can connect and validate a device in one location and automatically reconnect in any other location.
The second challenge is protecting the communication content across all network types including managed networks and public access networks. The only effective method is to ensure that all communications are encrypted between the end-user devices and the application servers in the corporate network. This is common practice for data services, but is not widely adopted for UC services.
There are now UK technologies available designed specifically to encrypt voice, video and IM without compromising call quality. These same technologies also protect the service against attacks such as Denial of Service attacks and call fraud attacks which are prevalent on open networks.
Selecting the correct mix of available technologies provides the security needed to counter cyber attacks and meet the current regulatory requirements. It also provides an enhanced level of service reducing communication costs, increasing profits and delivering measurable business benefits.
Julian Simmonds
Chairman, Palo Alto Risk Solutions, www.paloaltorisksolutions.com