Retail Systems rounds up Infosec Europe 2016
Written by Dave Adams
Many subjects under discussion at Infosecurity Europe 2016 – including security threats associated with the cloud, mobility, social networks and the Internet of Things, and the need to ensure compliance with the forthcoming EU General Data Protection Regulation (GDPR) – are highly relevant to any retailer using online service and payment channels.
The exhibition and conference, held at London Olympia earlier this month, saw an interesting discussion aimed at CISOs and security directors about how to turn greater security awareness at board level – the result of a constant stream of security breaches being reported in the media – into a more effective approach to security within the organisation. Participants included Matt Palmer, CISO at Willis Tower Watson, who stressed the importance of being straightforward and transparent when dealing with board members; and of building confidence in the ability of the business to recover from a security breach, not just at board level, but throughout the organisation and among customers. “When something goes wrong most [customers] are going to be on your side if you communicate in the right way,” he said.
Communication was also one of the key themes in another discussion panel, looking at how to become “a successful security leader of the future”. Infosec panel discussion regular Lee Barney, head of information security at Marks & Spencer, suggested that one of the most important parts of the CISO role was to bring security out of an IT silo and into the mainstream of the business. A CISO needed to be “a business-focused person... the sort of person that can relate tech issues to a non-tech audience,” he said. “I advise you to get involved in the fabric of your business – go to the stores... make friends in parts of the business outside IT. That’s how you learn how to [explain security issues] in ways they can understand.”
Mieke Kooij, now security director at online rail ticketing website Trainline, but formerly employed by larger organisations including M&S, discussed the pros and cons of performing the CISO roles for different-sized companies. On the one hand, at Trainline, with only a few hundred employees, it is easier to communicate directly to all of the employees about security issues than would be the case inside a larger business; but the lack of corporate governance structures also makes it more difficult to establish and reinforce security policies, or changes in the organisational culture that might help to improve its security posture.
Barney pointed out that a change in organisational culture, however helpful as a means of improving security, will be very difficult within a large, long-established retailer like M&S. Instead, he suggested, the CISO should “work out what the company means to [colleagues]... then try to sell security to them. Make your colleagues understand it from their perspective.” That way, he suggested, security leaders would stand a much better chance of protecting staff, shareholders and customers from dangerous, ever-evolving security threats in future.
Retailers using cloud technologies to improve efficiency within the business and/or to offer specific customer service functionality would also have been interested in a Tech Talk given on the first day of the show by David Cahill, security strategy and architecture manager at Allied Irish Bank (AIB). Work the bank is doing with Skyhigh Networks to identify and securely manage the use of multiple cloud technologies by the bank’s 15,000 staff revealed 2,471 different cloud technologies in use, including 131 services and 336 activities Skyhigh classified as high risk. Now, when users attempt to use an unauthorised SaaS application, the system prevents them from doing so and suggests using an authorised alternative. Meanwhile, a Strategy Talk delivered by Tim Porter, domain IT security engineer at Lloyds Banking Group, explained how Lloyds is working with TITUS (formerly Titus Labs) to classify structured and unstructured data within the organisation into four categories: public, internal, confidential and highly confidential. Metadata attached to these pieces of data can be integrated with the bank’s other business tools – so any item marked highly confidential will be encrypted automatically, for example.
Projects like these should help organisations of all kinds to avoid some of the security incidents triggered by user error, but not all of them. On the Keynote stage, Mikko Hypponen, chief research officer at F-Secure looked back on 25 years of work battling online threats and showed how history can repeat itself. He pointed out that some of the first Trojans, created in the late 1980s, were versions of what we now call ransomware. This is also arguably the biggest malware-related problem that the world faces today, in part because Bitcoin has made it so easy to process payments from victims – and because people so often click on attachments and web links when they shouldn’t.
As Hypponen puts it, “people do stupid things”. One of the ways in which he illustrated this was by showing the audience a tweet sent by someone that contained a photo of their new debit card, with all details in plain view... and then a follow-up tweet sent a little while later, asking why people were tweeting him asking for the three numbers on the back – and revealing them...
A Tech Talk delivered by Simon King, head of IT at security technology distributor Infinigate, looked at ways that individuals may put themselves and their employers at risk when using social media. King described experiments Infinigate has conducted to see how easy it is to mine social media for information that could be used in phishing attacks or fraud targeting individuals or organisations. For example, Infinigate created a Facebook page for a fictional young and attractive person called Clare, then sent friend requests to a few young men who looked like they might respond. Within days hundreds of people were communicating directly with ‘Clare’ via Facebook. They included a CEO, an HR manager, an RAF employee and an aviation security officer. A bit of cross-referencing work with LinkedIn, Twitter and Companies House revealed all sorts of details about Clare’s new friends’ employers – and personal information relating to the directors of the companies for which they worked; and the clients of those businesses.
On day two of the conference cryptographer and security guru Bruce Schneier explained his concerns about the development of the Internet of Things (IoT), a topic of growing relevance to retailers seeking to use IoT technologies like beaconing within stores to create personalised interaction with consumers via mobile devices; and to those retailers who will be selling these ‘smart’ devices in future. One problem, Schneier suggests, is that the security gap – the time between the first exploitation of a vulnerability and application of countermeasures – is likely to be much longer for some IoT devices than for conventional workplace technology or consumer electronics. The security gap can be kept relatively small in the world of consumer devices, he pointed out, in part because consumers upgrade computers and laptops regularly. This is not the case for some IoT technologies that retailers will use in future, such as technologies used in stores or parts of the supply chain.
Schneier fears this will mean “fewer attackers can do more damage with better technology”, and that an increase in catastrophic risks could drive public demand for government action, possibly leading to increased surveillance and restrictions individual freedoms online. “We need to bring together technologists and policymakers ... or we’ll get some really bad policy,” he said. “Our choice is between smart government involvement and stupid government involvement.”