Conference review: Infosecurity 2018
Written by David Adams
Infosecurity Europe 2018 provided much food for thought for visitors working in the retail sector. There were familiar risks to consider, new reasons to feel anxious, as well as the usual mix of practical tips and cautionary tales.
One of the latter was discussed in the opening keynote on day one by Baroness Dido Harding, now chair of NHS Improvement, but formerly chief executive at TalkTalk when the company was hit by a major cyber attack in 2015. That had resulted in the leak of almost 160,000 customers’ personal details and a record £400,000 fine for the company from the Information Commissioner’s Office (ICO).
Harding said the attack was caused by the company’s reliance on legacy technology, targeted by a conventional SQL injection attack, described as “the IT equivalent of an old shed in a field… covered in brambles… all we saw was the brambles and not the open window”.
Victims might have found this mea culpa a little irritating, but it was good to see a former CEO who had been through such an experience being prepared to get up on stage and talk about it – something that would have been impossible to imagine just a few years ago.
Another presentation on the first day offered advice on achieving cyber security hygiene on a tight budget. Kevin Fielder, chief information security officer at Just Eat, emphasised the importance of prioritisation: identifying then focusing on the systems and data in the business that require the most protection. He also talked about the value of creating closer partnerships with business partners in order to share information with them and other organisations.
“We’re all trying to solve the same problems,” he said. “Share that work together and think about how you can help each other.”
Other presentations and discussions looked at the perennial problem of creating a security-aware culture. Lee Barney, head of information security at Marks & Spencer, described the challenge of creating a genuinely usable security policy for the company’s 80,000 staff, spread across 49 different countries and various subsidiaries and franchises.
“You can’t sit next to them every day, so you need to train them, so they can identify breaches and concerns and escalate to the next level when they don’t know enough to deal with the problem,” he said.
For those looking for more detail about the sorts of threats their company might face, James Lyne, head of global security research at Sophos, highlighted the continuing use by attackers of old-fashioned file and document-based malware and phishing attacks – many of which have been around for years, yet still work, because they prey upon human gullibility and greed.
He provided some entertaining illustrations, such as the spreadsheet that looks as if it will reveal the salaries of everyone else in your office, or a harmless piece of malware that locks up your computer temporarily, administers a severe telling off for your poor security habits, then unlocks the machine again and uninstalls itself.
A CISO panel discussion on day two considered the ever-tricky question of how to ensure third party suppliers are doing all that they should to keep themselves - and thus your supply chain - secure.
Steve Wright, data privacy and information security officer at the John Lewis Partnership, described the work the retailer has undertaken to help suppliers achieve good practices in data protection and cyber security. He talked about the need for a flexible, common sense approach and suggested that the General Data Protection Regulation (GDPR) has played a helpful role in encouraging many businesses to focus on data protection issues.
The new data protection regulation was itself the subject of another discussion panel on day two, looking at what organisations should be doing now that GDPR has come into force.
Nigel Houlden, head of technology policy at the ICO, stressed the need for businesses to continue to review security policies, education and training regularly. He said that although ICO could now impose severe sanctions on companies guilty of serious and/or repeat GDPR breaches, if an organisation could show it was taking as much action as it could to prevent a breach, this would be taken into account.
“If you haven’t done anything yet - and I know there are companies out there that haven’t done anything yet - do something,” he said.
Any retailers that happen to be in that position - or that may not have completed work in relation to GDPR - should at the very least heed that warning as they consider other measures to ensure the safety of the data they hold, along with their systems, supply chains and reputations.