Bill Magee says that too few businesses are taking the perils of cybercrime seriously – despite the eye-watering costs a security breach can involve...
What has Netflix streaming a 40-year-old Hollywood movie got to do with online security? Answers on a cyber-postcard...
The film in question is the 1976 classic suspense thriller Marathon Man, when Dustin Hoffman is challenged by Laurence Olivier’s nasty Nazi dentist whispering into his ear - ‘Is it safe?’
Ok, the film is pre-internet (not strictly true as the forerunner Arpanet with US defence protocols for ‘internetworking’ can be sourced as far back as 1969) and what’s it got to do with the world of business technology, I hear you’re asking.
Well, everything. They are three words that carry with them such a powerful resonance in today’s commercial world, where a reported data breach appears a daily occurrence.
Ask any organisation – irrespective of size – what their number one daily anxiety is and they’ll tell you: “I hope my data is secure.” Yet it’s like, well, drawing teeth (you’ll have had to see the movie) to get your average company to actually spend money on ensuring its sensitive information remains safe.
Such has been the exponential growth online of cybercrime that Juniper now estimates a single internet breach can cost upwards of a not so cool £300,000.
Compare this with a mere £3,000 the mobile, online and digital market researcher reveals as a typical company’s average annual spend on cybersecurity.
Worse still, Gemalto’s latest data security confidence index reports an overwhelming 95 per cent of UK businesses operate under a ‘false sense’ in the ability of their perimeter security to keep attackers out of their IT networks
Something’s got to give.
Which brings me onto Bill Buchanan. The founder of Edinburgh Napier University’s cyber academy declares: “Your encrypted database is NOT secure!”
The good professor says he is being increasingly asked to review database management systems (DBMS) especially with the General Data Protection Regulation round the corner.
“I’m asked: ‘is my system secure?’ and the reply is often: ‘No!’, to which the company says: ‘But we have implemented encryption on our data, and it’s been proven to be uncrackable.’
“Then I show how a poor implementation of system logs, key management and weak access controls can lead to a large-scale data breach. As was shown with the distribution of the #NotPetya attack, intruders now have a wide range of skills in compromising systems.”
With preparation needed now for the introduction of GDPR next May, an organisation better make sure their ‘air gaps’ are covered up and that each and every piece of sensitive data is encrypted and with strong access controls.
An air gap is a PC network security measure employed to ensure a secure computer network, one isolated from any unsecured networks like a public one or unsecured local area network.
On far too many occasions so-called encryption becomes a ‘tick box’ exercise: the chief executive asks the CTO if they encrypt their customer data, to which the CTO replies ‘yes’ and the CEO then replies: ‘Well, that’s good.’
It is hoped GDPR will ensure the true risks of data infrastructures are properly assessed even though it remains the ‘basics’ that must be addressed, such as a weak password.
Better still, go get someone from outside your core team to review procedures and processes. There are numerous penetration-testing SMEs out there who will give strong and independent advice on risks.
Back to those Juniper researchers; they have picked up on the professor’s ‘insider threat’, recommending that any organisation can reduce its vulnerability through proper staffing and enabling technologies and training programmes that help to prevent the pattern of multiple breaches.
Otherwise you’re likely to finish up ’a-grinding and ’a-gnashing as your enterprise falls on the wrong side of a rising tide of cybercrime reckoned to cost businesses globally an eye-watering $8 trillion by 2022.