13/02/2016 Talking Business

We'll come to London. It's a crime that is costing corporations dearly

and it is growing. Cyber attacks are fast becoming the most common wheat

to steal money and information and damage reputations. These invisible

enemies are holding businesses to run some with increasingly

sophisticated tactics. What can be done to combat what many are calling

the crime of this generation? That is what we will be discussing on

talking business. In a high-tech world where

everything is connected, cyber crime is big business. It's fast becoming

the issue which is most on the minds of company bosses. That is not

surprising given it is estimated to be costing global businesses around

$450 million a year. Internet access has become the cornerstone of modern

life. The activity which drives business makes it vulnerable. Last

year a number of high-profile breaches highlighted the

reputational risk and cost posed by cyber crime. UK telecoms group talk

talk fell victim to a hack attack which cost the company around $85

million. Over 100,000 customers took their business elsewhere. The

personal data of over 6 million children was exposed when Hong

Kong-based vtech, which specialises in digital educational toys, fell

victim to hackers. In the USA, infidelity website Ashley Madison

which has over 30 million users came under attack when hackers threaten

to expose the names of adulterers unless the site was taken off-line.

And in Ukraine, thousands of people were left without electricity, the

first known result of hacking bringing down a power network. The

digital world of the 21st century has created a breeding ground for

cyber bobsledding affecting businesses. The challenge is how to

keep one step ahead of the hackers. And to discuss how businesses might

go about that I'm joined by three people on the front line in the

fight against cyber crime. George Quigley is cyber security partner in

London for KPMG. He has over 20 years of experience in technology,

risk and information security. James Chapel is the co-founder and chief

technology officer with digital shadows, a company which analyses

digital footprints to expose weaknesses. And the Professor of

cyber security and director of the global cyber security capacity

Centre at Oxford University. Welcome to all of you. James, if I might

start with you, first of all we need to define the desk. When we think

about cyber security, as individuals we think of personal information

being stolen or bank details but it is more complicated than that?

Define the desk if you would? We often think about keeping our

secrets secret or private information private but just as

important as keeping businesses operating normally and keeping trust

in information we use day-to-day, so we think about the stock market or

we think about our bank website being available. When we hand over

any information, just staying on the subject of personal information, we

have of course lost control of it and that is part of the problem?

Yes, you are lying on the company or somebody else to secure your data,

so you are relying on them to understand fundamentally what Baker

assets they hold that are perhaps your own and other people's data.

And we don't ever have that conversation, how secure is it? We

don't ask the question and actually I think there's a problem because

there's a lack of information. I don't think really understand how

much of this information is leaking from organisations and how much out

there already. We don't ask the question is when we give people the

information and it is hard to find out if any organisation is properly

secured the first place, what certification standard would I look

at and how would I know if it is secure or not. There's an awful lot

of trust and we have grown up in an environment of trust. And part of

the problem as companies themselves are not able to secure the data in a

way they would like to because cyber criminals are always one or more

steps ahead? Certainly it is an increasingly complex challenge and

it is also the nature of the business itself, that is constantly

changing, the kinds of technology required to deliver that businesses

and the relationships to the supply chain and partners and it of data

that a lot of risk lies. They should we see these criminals? Should we

see them as random individuals, perhaps Mavericks, or are much more

organised than that and do we underestimate them if we do that? In

the last ten years we have seen a maturing of the ecosystem that

underpins the criminality, so yes, they're always be Mavericks, but

what are seeing are different units and organisations coming together to

offer different skills to enable crime of many different types. The

criminals and particularly the serious organised gangs have found

out that cyber crime is a good way to reduce risk, so looking recently

at the human traffickers... Because it is anonymous? It is hard to find

it hard to detect with very few successful prosecutions and it is

not seen as a massive problem. You seem to be suggesting it is the same

group of people who may have conducted a bank robbery who are

suddenly experts said he? I am calling it crime plc, shadow

organisations, and they have the same setup and a systems development

team that is one of the main things people are missing. The criminal

organisations have discovered with a lower risk massively by turning to

cyber crime and it is quick and cheap and easy to do in many cases,

because a lot of organisations are not strengthening their controls,

and some of the attacks are actually very low levels of sophistication

used. Some are very high but the businesses I work with in general,

and if you look at the example of TalkTalk, and I do not have any

inside information but it was a 15-year-old. The technique has been

around for ages and it should have been identified through the risk

management process and they should have sorted that, so a lot of this

is not very sophisticated, and we have kind of ceded ground to the

individuals without acting as we need to respond, and our challenge

from an organisational context is understanding what data we need to

protect. And of course sometimes the threat is from within? And what we

are discovering as we talk to organisations is that it is

massively underreported. Not a surprise. Because it is humiliating?

And some fear that it would not look as if they were in control of their

organisations and what that might do to confidence in the band and the

consequences for sheer value. The other issue of course about insiders

is they are inherently threats that have access to your systems, often

overly lengthy period of time, so we call them systems in the community.

That means they have the benefit of serendipity so they might enter the

organisation after one particular thing, but because they set on the

systems for some time that they can move around and discover parts of

the system they wouldn't have got to, and that means they can't turn

up data on organisations that is even more valuable than they had set

it to get in the first place. That makes it very worrying, for us,

because we are humans and we are used to building walls and locking

doors, and in the security industry we have great parameters but we can

be very soft inside. And we talk much more about personal information

but in fact it is a geopolitical threat? They are theirs and that is

not my area of expertise but when you look at what is going on across

the globe, if you wanted to do something on a geopolitical space

cyber is the way to go. We are all connected and there is lots of

interesting information flowing around. It is actually quite

valuable, and beer is also the threat from terrorism and as yet we

have not really seen anything major in terms of taking out a part of a

national infrastructure although there have been some attempts. We

certainly have seen terrorists use money to fund their activities, and

I don't know if you can join this together on a global perspective

unless something happens on a global perspective to try to fight this

issue and I think it will continue. We saw the Ukrainian power network

go down. That was the result of a cyber crime? And in fact if you look

at the whole Ukrainian conflict, there have been a whole range of

attacks, heavily involved in some of the attacks on the Ukrainian banks,

so just for me it is another facet of the complex geopolitical world we

live in. And thank you all for now. Later in the programme we will be

looking at what role the legislation might play in forcing companies to

be more transparent about cyber attacks in the future. But first

let's hear some thoughts from our comedy consultant, who has gone

underground to explore the world of the cyber criminal in this week's

talking point. You can discuss cyber crime properly

without a number of cliches, the underground location.

I am actually in a meeting room in the 200-year-old vault beneath bug

patch laps, here in Dublin. The reason I am here is to get into a

Tech frame of mind. A recent survey of security managers in North

America and Europe suggested one of the biggest barriers to effective

defence was employees' lack of awareness of the risks. I'll just

get this. Hello? Right. A virus on my computer, that sounds serious. My

password? Yes, it's 123. That'll fix it? Thank you so much. Two things

scare me, the first is ours as a species, humans are not always the

brightest. Our most popular password is used solely 123456, and the top

20 is an embarrassing list of things like the word password. We need to

be smarter. The is an enormous return from cyber criminal

behaviour, and on that edge there is some very smart hackers who are

creating and understanding their target and creating ways to bypass

that targets. You must design with security in mind. It is easy to do

but you have to put the systems in place to do that. There isn't much

time and all I can say is we had in the middle of a cyber war and it is

a race against time with the cyber criminals. Now if I can just...

Defibrillator the cold, I should be able to reverse the effects of the

automatic update and then I should be able to save changes to the

Microsoft Word template. Done. Companies don't have a plan for the

cyber attack and many companies can get attacked and it is as if they

haven't a clue what to do whereas they should have had a plan in place

for years in preparation and how they are going to get back in

business and who they will inform, law enforcement data protection, and

how they get their systems back and running. This will get more and more

complex in future. Cyber crime will get more and more sophisticated, can

the text system keep up? New things keep coming out new people to see

how they can make money and law enforcement has stood learn how to

detect a crime but we will always have criminals who learned to break

our systems. When it comes to cyber defence you are only as strong as

your weakest link and I am sure at some point in the Internet I have

signed up for a newsletter whose password is protected by the

equivalent of a security guard on the verge of retirement and to set

up a chain of security theft so complete that next week's shall will

be presented by a 62-year-old woman. The many faces of identity theft,

and remember you can see more of his short films on our website. Let's

come back to our guests here in the studio. Remind us just how prevalent

the insider risk is, because the difficulty with the inside as it is

even harder to define, as we can take work home at the next step of

the Internet as we all want access to everything, the Internet of

things, so the city you are trying to protect is increasingly less

well-defined? Yes and I challenge anyone any modern business to be

able to draw a line around the perimeter. What we would consider

the interface with the rest of the world is constantly shifting and any

one of those interfaces is a front door into a business, any one of

them, any one of us. What can we do as individuals who work for

companies or institutions, what should we be aware of, those of us

who have no IT knowledge and I can myself amongst that? I think it is

worth thinking about, we all value convenience but each of our

decisions to interact with information we should consider

security to be a part of, so while we might enjoy a convenient

experience and a device purchased, what am I putting on that and what

is at connecting to and how was it protected? I get the impression

small companies would have difficulty finding a lot of cyber

security protection and perhaps therefore some form of collaboration

is right around the corner, but you don't hear much about that? It is

interesting because collaboration happens very much at the threat

level, so the criminals are collaborating with each other day in

and an idiot to get what they can out of the system, but yet as

individuals we don't collaborate and don't want to share information.

Because they are competitors? We don't want to be embarrassed and we

don't want to be seen as looking stupid in front of our competitors

and peers, and that is one of the big issues but we have to

collaborate more. I also wondered if companies are tempted to buy

solutions without understanding of analysing what the biscuits. We all

know about via the software and buy it off the shelf, to companies do

that and buy it off the shelf? A lot of them invest in technology is

thinking it is the answer but it is the interaction of technology,

people and business processes that is at the core of this problem, and

you have to take a holistic view of all of those things if you want to

stand a chance of defending against some of the sophisticated attacks. I

feel we are a little bit behind the curve and you advise governments,

would you say they are behind the curve? Gosh, that varies across the

globe. We are lucky in the UK and are very met you in our ability to

set effective policy and to engage with all of the relevant

stakeholders. That is a good point, what about collaboration on an

international level because what might be legal in the United States

may not be in the UK or Europe? And that is incredibly challenging for

large businesses because they find themselves operating in different

parts of the world with different regulatory regimes with different

penalties, for example, if they don't look after people's personal

data, which actually when you stand back and look at it means

incentivising around the world, so you can observe different

behaviours. It is really challenging at the sharp end, so when things go

wrong and there is a successful attack, so often it is emanating

from around the world because that is one of the components for cyber

criminals, whatever flavour they are, in that they can leveraged the

attack from outside the jurisdiction, so if you then

discover that, and a lot of it is not discovered, but the stuff we

discover, going and collecting the evidence and holding the criminals

to a kid any way that might deter others from engaging in that

criminality, that is challenging. It is certainly something the

international community is constantly working on. Are we seeing

a tightening legal obligation meaning companies have to have basic

protection in place? For customers information for example or other

information? We're to implement the general data protection regulation.

That is within Europe. You are seeing that on a more global basis

at the moment but the challenge is, how do you actually get under the

skin of this and that would disclose what has happened. If there is an

organisation and if you look at the guidance, the information

Commissioner's office says you must disclose to them any significant

breach, which involves any loss of personal information. What is the

definition of significant? There is a market failure in some of this and

whether they are busy legislative approach you have to look to some

sort of approach built on liability, and try to change it that way, I am

not sure what we are to goal. We talked about where the protection

might go one collaboration is one answer to that but every time you

move to protect yourself, the desk moves somewhere else. We do you see

the next risks coming from? If you think about how we connect things

like power stations or the German steel plant that had the big

industrial accident, we're connecting these systems to the

Internet and the ability to influence those can mean much bigger

consequences for business. Would you see that as the big problem, that

more and more things are getting connected to the Internet and from

the... ? That is certainly a big problem and one I would imagine you

would see that would affect businesses and people on the street,

unpredictable roads where people have hacked the controls and maybe

people can hack our cars and stop them, maybe we will see some

physical harm. We are likely to see disruption across transport and we

may have power going out. Initially that might have the power suppliers

first, but ultimately it will have knock-on effects, so second and

third order risks as they flow down the chain. The power goes out and

somebody has a crash, we couldn't perform this emergency surgery and

people died. The power went out and our systems than they do it

properly, we have forgotten how much money everybody had on the bike and

so on. I think that is coming and I think the other thing that is coming

is large-scale attacks against critical parts of the infrastructure

that affect the nation any more terrifying way. We have run some

weird at the moment where I can encrypt files and you don't get them

back unless you give me money. What if I could do the same and stop your

pacemaker from working because it is connected to the Internet. I can

make even more money and I don't think we really understand where the

risks are going to come from. What I see and what I read in the press as

a lot of the device is being built on not being built with security

first and foremost in mind, and if you go back to the initial days of

the Internet, the Internet was not designed for security, but where we

are today we should be understanding that perhaps we do need to put

security onto some of these devices and yet we are going to replicate

the policy you again of creating a whole load of insecure devices and

who knows what people will do. Carlos could be won but who knows

where it will go, and we need to think differently, we need to think

about how could somebody who has got that intent, how could they use that

and what role they do and start putting some security in place to

stop them from doing it. Thank you to all of you. That's it for talking

business in London but do join us again next week. We will be an

Australia exploring what role farmers might have in driving

economic growth. It is already approaching -10 in the

Highlands of Scotland, it is called out there and this is going to stay

cold for the next couple of days and nights. Some snow showers across the

hills of north-east England and these continue