Europe’s View on Cyber Security: “It’s not a concern!!”
After 8 months of meetings, presentations, practicums, conferences and you name it on Cyber or Information Security; I think I have figured out the mind set of UK and European corporations towards it. It’s just not a concern warranting any action. It’s that simple!
This is supported by a recent BT poll that said only 17% of corporations interviewed listed cyber security as a priority.
Don’t get me wrong, people are interested. Every speaking engagement or practicum we host, it’s a packed house, some participants even call back to say how much fun the real world practicum was to attend. "A lot like those murder-mystery dinner parties where one of the guests are killed and you have to find the killer. Those things never happen for real and neither do the cyber-attacks we just experienced."
Despite, daily media reports about information theft or cyber enabled crime, like the hacking of the Port of Antwerp by drug dealers or fake repairmen putting keystroke loggers on Barclays computers or even News of the World hacking cell phones and emails for stories, companies just don’t seem to care.
I’m guessing many are thinking this cyber-thing is just a fad and it’s no real threat and it will go away.
Maybe it’s because they don’t want to take lessons from the U.S. Over 800million customer records and pieces of proprietary data were stolen from companies in the US in 2014. But that will never happen in the UK or Europe right? (Yet 93% of UK companies suffered a cyber attack in 2013.)
It’s the US and they have the NSA who hacks everyone according to the media. We can’t trust them. But, maybe “hack” is too strong a word. If companies in the UK and Europe are not doing anything to secure themselves then is it really hacking? It seems it’s more like online window shopping, if you can “surf” by a company and see that its data is easily readable, aren’t you going to read it? German PM Angela Merkel is talking with the French about building a cyber-wall around the EU to stop the window shopping from the US but that just means those within the EU wall can look in on rival companies, right?
Better yet, the reason it is not a concern is because the general public doesn’t care. If a breach occurs and financial data is stolen, the public doesn’t care because the banks will make them whole again. There’s no impact to the consumer. Except, the higher bank fees and lower return interest rates. Oh you didn’t realize the banks weren’t eating that loss, that they were actually pushing it back on to the consumers and corporate banking clients. Also last I checked the general public is not aware of all the corporate hacking going on because companies don’t have to disclose cyber-attacks.
In the US as well as other places, corporations who have suffered cyber-attacks are legally obligated to report it to the Security and Exchange Commission and if the attack involves consumer data, they actually have to tell each consumer. There are also hefty fines from the Payment Card Industry (Visa, MasterCard, Amex, etc.) and the company can be sued. That’s not the case in the UK or Europe, well not yet. The EU has draft a directive to address this with penalties equal to up to 5% of the company’s annual worldwide revenue. It is scheduled to be enacted in 2015.
But there is no rule yet and maybe some are thinking by the time the EU regulation passes they’ll be at another firm or retired or I don’t know, we’ll just wait and see.
Even better maybe someone will buy the firm and then it’s their concern. Investors never conduct cyber security audits on acquisitions. It’s all about the finances and management. Whens the last time an investment firm asked a question about data protection or who has access to the company’s intellectual property. It just doesn’t happen.
Well, that waiting and seeing or hoping for sale, might just equal bankruptcy or criminal charges but let’s wait anyways.
A more likely reason for this lack of caring is actually a lack of understanding. Most of the CISO and those charged with information security get that this is an issue but management above then doesn’t. And of course you can’t admit that you don’t understand the issue. Instead we’ll just buy new equipment to watch that one port, heck there are only 65,000 ports to computer systems, I’ll buy equipment for each. So what if the equipment doesn’t talk to each other or no one understands the alerts that are being sent. The hardware/software sales guy said this is what I need to stop x, y and/or z type attacks. So what if every one of those “agents” is slowing down my processing power to less than 60%. Buying tech and building walls is being proactive right?
All this talk about identifying core data to be protected or auditing access controls, monitoring network traffic or creating a full and up to date network map, is just hog wash. Proactive annual reviews of policies and procedures, building a dedicated Info Sec team separate from IT, educating users on cyber based threats both in their personal and professional lives is pointless right?
We’ll do all that when we get attacked assuming we know when we have been attacked. Those statistics by Symantec or McAfee saying it takes over a year for companies to be aware of an attack or that 75% of attack victims are notified by third parties and have no clue they were breached, again it’s just poppycock. No one should believe that junk.
Clearly I am being sarcastic, but it is very difficult to help firms to understand their risks and to provide relatively easy and cost effective solutions to help minimize the threat only to be told “we’ll see.”
The UK and Europe are 3-5 years behind the US in the understanding of the threats and the cyber underground have taken notice. They know that information security is not deemed a concern. They know that most corporate management is low hanging fruit ripe for the picking and they (the cyber criminals) are making a mint. In fact, they know, that just like the US, most firms only seek to sweep attacks under the rug rather than chase down those responsible. Thus, for the bad guys, there is no down side to hacking ABC Company. They will never go after them.
UK and European companies simply have no impetus to address the issue. If the flaws in their computer systems were replicated as flaws in their products, recalls would be required and many would go out of business. But that doesn’t happen because hacking is a romanticized intangible we see on TV and the movies. It doesn’t really impact us. The US had the same mentality until the DPI hack lost 40 million cards in 2003, the US Congress demanded the payment card industry fix it and new rules were put in place.
That same type of regulation is coming to the EU and when it does, if firms haven’t proactively prepared, when the breach happens the cost to investigate and mitigate will be double or triple the cost for proactive fixes.
Do you know where your proprietary data is stored, which systems, which countries, who has access to it and when was the last time someone accessed? When an incident occurs, who is in charge, who makes the decisions and who reports your findings to the board. Will the answers be a made-up best guess like 86% of other companies per the AccessData survey of over 1000 US, EU and UK companies?
Good thing for me and those in the InfoSec field, the lack of concern now will be a freak out fest in the very near future and the work will come rolling in. Unfortunately we can’t get to everyone at the time of attack and thus casualties will occur, primarily for those that “wait and see” or “aren’t concerned.”
No comments:
Post a Comment