With a seemingly endless stream of stories about data theft and other forms of cyber crime having afflicted every industry, including retail, during the past year, the Infosecurity Europe conference and exhibition is arguably more relevant for the retail sector now than ever before. Alongside the range of useful technologies being showcased at the exhibition, visitors to the London show on 6th-8th June were able to attend a programme of presentations and panel discussions on the keynote stage, focusing on a range of security subjects.
The opening address was delivered by Dame Stella Rimington, former director of MI5. Although she barely touched on IT security, her speech did suggest parallels between the task of protecting an organisation against cyber security threats and her former job. She also emphasised the extent to which those entrusted with the security of the nation or, by extension, of an organisation, are likely to be blamed when a risk calculation goes wrong – a predicament which anyone with responsibility for IT and data security within a retailer can certainly empathise with, even if, thankfully, such mistakes are not usually a matter of life or death.
Professor Angela Sasse, director of the UK Research Institute in the Science of Cyber Security (RISCS) at University College London, led an extended session on creating a strong security culture within organisations. She highlighted the change in emphasis that RISCS and the National Cyber Security Centre (NCSC) were trying to encourage across the UK, seeking to persuade those who work in IT security (and IT in general) to move away from blaming the end user for security problems. Instead, she suggested, organisations must improve security policies and technology, while trying to create a more genuinely effective secure culture.
Awareness-raising exercises and/or computer-based training modules cannot possibly eradicate deeply engrained bad security habits overnight, Sasse suggested. Instead, she recommended use of techniques such as gamification, or even board games, that staff could be encouraged to play together. Where these and similar methods are tried, she claimed, evidence shows that individual members of staff often actually start talking to each other about security. “If we can achieve that then half the battle is won: the more they talk about it, the more you get real engagement and get staff to work with you,” said Sasse.
She also pointed out – to applause from some in the audience – that often the best way to improve IT security was to upgrade the IT infrastructure. “Instead of spending money on security as a sticking plaster, get that infrastructure sorted out,” she suggested. Some readers may find themselves wishing, ruefully, that budgetary constraints did not make such wholesale refurbishment of the IT architecture such an unlikely prospect.
In another extended session, Rik Ferguson, special advisor to Europol EC3, joined security researcher James Lyne in considering current security risks and threats. One of the most prominent subjects discussed was ransomware. Ferguson suggested that the WannaCry ransomware attack, which caused so much disruption within the NHS and other organisations across the world recently, had at least helped to raise awareness of the extent to which ransomware is being used by cyber criminals. He cited research from Trend Micro that showed an “exponential increase” in the use of ransomware during 2016 compared to the previous year – “and we thought 2015 was bad”. There were 29 new ransomware families observed during 2015, but this number grew to 246 in 2016, a 748 per cent increase.
He also talked about another technically unsophisticated yet highly effective threat: CEO or invoice fraud, whereby the email account of a senior member of staff is compromised and then used to dupe other members of staff into transferring money out of the organisation. Ferguson listed some best practices that can help organisations combat such problems: having strong backup and restore processes in place – including at least one offline backup mechanism; reviewing and improving access control policies and management; implementing better patch management and regular attack simulations and testing; and the creation of a security-aware culture.
Finally, Ferguson also considered the ever-growing threat posed by Internet of Things (IoT) devices, which include a growing number of devices that retailers are either using themselves in stores and warehouses – from in-store mobile communications beacons to CCTV cameras – as well as devices that some will be selling to consumers. As Ferguson put it, “by and large, the people responsible for the security of this technology have nothing to do with security”. This is a problem that must be addressed now, because of the speed at which the number of such devices is increasing, he said. Much more work is needed on assessing security of the back-end systems used alongside IoT devices, as well as the devices themselves, he observed.
Another panel discussion considered the work that could and should be done to improve an organisation’s security posture by building better security practices into software coding and design. Lee Barney, head of information security at Marks & Spencer, suggested that one way businesses can encourage developers and software engineers to follow best practice is to appeal to those individuals’ motivations. For example, he says, M&S trains staff in secure coding, then challenges them to find vulnerabilities in their own website, offering prizes for those who succeed in doing so. Barney also talked about the need to get buy-in at the top of the company for any changes necessary to create a more secure approach to coding and development. If this proves impossible because the board just does not seem to care, he said, it might be time to consider moving on from the company – because any company where the top tier of management does not care about security is destined to suffer a serious security-related problem at some stage.
The first presentation of the second day of Infosecurity Europe was one of those keynote speeches at a conference that has almost no connection with the central theme of the event. In this case, however, as this was the day before a General Election, broadcaster and author Jeremy Paxman could probably be forgiven for talking about politics. The tenuous connection here was trust, and in an enjoyable if deeply cynical speech Paxman proceeded to be incredibly rude about most high profile politicians, highlighting the many times they had shown themselves to be untrustworthy. In a short Q&A at the end some audience members made futile attempts to pull the conversation back to cyber security topics. Asked if he thought the UK’s top politicians had much understanding of the cryptographic technologies that are so important in combatting cyber crime, Paxman retorted: “How on earth should I know?”.
Another keynote session that offered far fewer laughs but was undoubtedly more relevant to the day-to-day experiences of many in the audience focused on the processes and challenges involved for companies seeking to attain compliance with the GDPR. Steve Wright, group data and infosec officer at John Lewis, said one of the difficult challenges that the retailer had faced had been developing a strong enough understanding of the legal differences between GDPR and existing data protection legislation and regulation.
He also highlighted the problem of finding new technology that could genuinely meet the company’s GDPR-related requirements. He alluded to the fact that some of the technology vendors in the exhibition would almost certainly claim their solutions could meet all of a company’s requirements. This was probably not the case, Wright suggested. “My advice is, you’ll find there’s a little bit that can do that and a little bit that can do this, but not one vendor that can do everything.”
Recent Stories