Recent high-profile cyber-attacks have highlighted the importance of online security. But are technological solutions at the mercy of human error?
Businesses are coming under frequent and increasingly brazen attacks from computer hackers looking to steal sensitive data about customers and disrupt their operations. But many organisations are failing to take adequate steps to repel these onslaughts and often seem clueless about what to do when they happen.
This summer’s scandal, when hackers attacked the Ashley Madison adultery website – posting confidential details online about 33 million accounts – should serve as a wake-up call to businesses, especially those dealing with personal data. They need to protect their customers’ data from cyber-attack – or see their reputations shredded.
The attack on French TV network TV5Monde in April was even more worrying. The hackers managed to keep the TV channels off air for several hours and posted a message on the organisation’s website claiming to be from Jihadists associated with Isis. Threats were made against the families of French security personnel. Reports later suggested that French authorities suspected the hand of a hacking group with links to the Russian government.
But wherever the threats come from – and there are plenty of diverse groups and individuals looking to mount such attacks – many organisations seem powerless to stop the intruders and protect their data.
To discuss how businesses and other organisations can boost their cybersecurity, The Guardian, in association with Fujitsu and Symantec, brought together senior online security experts, academics and compliance managers for a roundtable discussion entitled: “Data protection: a critical part of good corporate citizenship?” Participants examined strategies for protecting IT networks from attack and discussed the steps organisations must take to ensure they safeguard their customers’ data better.
Part of the problem is that anti-hacking technology such as antivirus software and firewalls have become so sophisticated that hackers have decided to concentrate their efforts on “social engineering” attacks. These involve tricking members of staff into giving away usernames, passwords and other details that can be used to log in to networks.
Another risk is that staff may leave laptops, mobiles and documents containing sensitive information in public places, or fall for telephone scammers looking to extract private information.
The panel agreed that educating staff to be more aware of these threats is vital, and that with people increasingly working from different locations – at home, in cafes, on the train or plane – the risks are increasing.
As Zeshan Sattar, a certification evangelist at CompTIA, a trade body for small businesses, said: “People want to work anywhere and everywhere. They open their laptop up and it is confidential – they are really not thinking about what they are doing. Yes, we can look at the technology, but we also need to look at the people and the human risk.”
Rather than blaming staff for these failings, should companies be be implementing basic cyber-hygiene in their systems? Or is there not much they can do to protect themselves?
“Determined hackers can get in anywhere,” said David Smith, deputy commissioner and director of data protection for the Information Commissioner’s Office, “but in lots of the cases that come to us, if basic measures had been in place, hackers wouldn’t have got in the way they got in.” Fines are levied where companies have failed to take adequate protection, he added.
Auriol Stevens, director, Restoration Partners, Lockheed Martin Virtual Technology Cluster, said the onus was on businesses to find clear ways of explaining the dangers of hacking.
“You need to tell people about the threats in simple terms. People didn’t understand war theory (in WW2) but they understood ‘Careless talk costs lives,’” she said.
But Mariarosaria Taddeo, researcher at the Oxford Internet Institute at University of Oxford, warned against oversimplifying the issues. She said organisations need to focus on explaining the dangers better.
“Provide people with information about why the data is important rather than treating people as stupid and just saying it is confidential – explain why that matters. Words like confidential can be cliquey and the word policy turns people off – you’ve lost them.”
One of the big debates is whether organisations should allow staff to use their own smartphones, tablets and laptops for work – so-called “Bring your own device”. This increases risk, because these devices can be more easily accessed by hackers.
Where companies provide devices to staff, workers tend to store their work in cloud services, then transfer it over to their own devices, which makes the data vulnerable. One way around this is what is known as “choose your own device” where staff are given a budget and allowed to buy a device of their choice.
Sian John, chief strategist for EMEA at Symantec, explained the dangers of this strategy: “If you don’t spend enough people will just put files in the cloud or email them to themselves and then open them on a personal device. It’s worth spending extra on a fancy, top-of-the-range machine to make it less likely they will put work on their own device.”
An underlying problem for many organisations is a lack of understanding about the importance of data and security. Until the boards and senior managers grasp that data is a hugely valuable asset for their business, they will always demote cybersecurity in their list of priorities.
Jane Wainwright, director of cybersecurity & data protection at PwC, said it is not the responsibility of either the IT department or the security department to explain the value of data – it is a job for senior management.
“What I want to hear from them is: ‘We protect data because it is the right thing to do for our customers.’ It’s good if you can use the values of an organisation to get people to understand why the data they have access to matters.”
Leaving data security solely to the IT department can create problems, said Mark Edwards, technical director at Capital Network Solutions. “Quite often, the IT department will see it as a failure in their role if they have an incident, so they’ll try and cover it up for as long as possible.”
Some believe that it is inevitable hackers will find their way into corporate networks, so these should be segmented and structured so the intruders cannot move around and access data with ease.
A significant issue with the TV5Monde attack in April was that the hack seemed to have started at a relatively low level, with a phishing email that three members of staff replied to, allowing the hackers to infiltrate the system with Trojan Horse malware, which tricks users into installing a malicious computer program. The hackers were then able to pass through the firewalls and access not just staff computers and Twitter and Facebook accounts, but also the servers that controlled TV production. This raises questions over the effectiveness of firewalls that separate different areas of operation. Companies need effective “air gaps” where their IT systems are not connected, so hacks cannot spread.
Shirin Shah, manager of governance, risk, control and compliance at EDF Energy, said the business operates separate systems for different parts of the business.
“We have segregated networks, so for our nuclear business there is a totally separate and much more secure network. We have three networks at the moment, so the different parts of the business are segregated according to the risk. We have a customer side of the business where we need to be quite open and communicate with our customers and the other part of business is very secure and locked down.”
Andy Herrington, head of cyber professional services at Fujitsu, said it could it could be another generation before people get a good grasp of risk management in IT. But he believes the Ashley Madison attack was a watershed. “In 10 or 20 years’ time people may look back and say there was a sea change because it affected people in a very personal way.” And he added: “Look at the Titanic – it fundamentally changed safety at sea almost instantaneously.”
Siraj Ahmed Shaikh, cybersecurity lead at Knowledge Transfer Network, said there needs to be a clearer view of the role technology plays in society. “Is technology just a service or is it an infrastructure, in which case we regulate it.”
David Evans, director of policy and community at BCS, the Chartered Institute for IT, said people need to have a better idea about how trustworthy different organisations are with their data. This could have huge implications for the future of digital technology, such as the Internet of Things (IoT). “If we don’t have trust we’ll have a massive digital switch off. Many of the people providing the building blocks for the IoT are worried about a lack of trust in digital services, because it will stuff up the market for them.”
Hack attacks will continue. But the future of digital services will depend on organisations getting better at protecting their customers’ data and finding ways to keep the hackers at bay.
At the table
Samuel Gibbs (Chair) Technology journalist, the Guardian News and Media
Mark Edwards Technical director, Capital Network Solutions
David Evans Director of policy and community, BCS, The Chartered Institute for IT
Andy Herrington Head of cyber professional services, Fujitsu
Sian John Chief strategist, EMEA, Symantec
Zeshan Sattar Certification evangelist, CompTIA
Shirin Shah Governance, risk, control and compliance manager, EDF Energy
Siraj Ahmed Shaikh Cybersecurity lead, Knowledge Transfer Network
David Smith Deputy commissioner and director of data, Information Commissioner’s Office
Auriol Stevens Director, Restoration Partners, Lockheed Martin Virtual Technology Cluster
Mariarosaria Taddeo Researcher, Oxford Internet Institute, University of Oxford
Jane Wainwright Director, cybersecurity and data protection, PwC