FStech reviews Infosecurity Europe 2017
Written by Dave Adams
Following another year when disruptive incidents related to IT security were visible in every industry sector, 2017’s Infosecurity Europe conference and exhibition, held in London on 6th to 8th June, seemed more relevant than ever. Presentations and panel discussions on the keynote stage considered the changing nature of information security risks, along with familiar themes including the old problem of finding the best way to persuade senior management and colleagues across organisations to do their bit to improve security.
The opening keynote address was delivered by Dame Stella Rimington, former director of MI5. Although she barely touched on IT security, her speech did suggest parallels between the task of protecting an organisation against cyber security threats and her former job. Dame Stella told the audience the story of her career, from her first job in British intelligence in India during the 1960s in an administrative role, to fighting the Cold War and terrorism during the 1980s and 1990s. She reflected on the difficulties she faced that are still being faced by state security services today – of having to act quickly and take “calculated risks on partial information” to prevent acts of terror. She also emphasised the extent to which those entrusted with the security of the nation or, by extension, of any organisation, are likely to be blamed when a risk calculation goes wrong – a predicament which anyone with responsibility for IT security within a financial services company can empathise with, even if, thankfully, such mistakes are not usually a matter of life or death.
Also on the first day, Professor Angela Sasse, director of the UK Research Institute in the Science of Cyber Security (RISCS) at University College London, led an extended session on driving a good security culture within organisations. She highlighted the change in emphasis that RISCS and the National Cyber Security Centre (NCSC) were trying to encourage across the UK, seeking to persuade those who work in IT security (and IT in general) to move away from blaming the end user for security problems. Instead, she suggested, organisations must improve security policies and technology at the same time as they try to create a more genuinely effective, secure culture within a company.
One emblematic change has been the move away from prescriptive guidelines on password strength and the frequency with which they are changed – after all, individual passwords are more likely to be stolen from a database than targeted and cracked by an attacker. Organisations need to move away from a situation in which users are more likely to perceive security as a block on their activity, said Sasse. “It’s very clear that if you’re asking too much of people, in terms of security, it becomes counterproductive,” she noted. “Effective security needs to be collaborative. If security doesn’t work for people, it doesn’t work [at all].” She cited examples of intrusive and disruptive security pop-up warnings that were too often false positives, or failure to provide guidance to recipients. Too often, she suggested, using these technologies actually conditioned individuals to ignore security warnings.
An endless stream of awareness-raising exercises and/or computer-based training modules were also unlikely to eradicate deeply engrained bad security habits, she suggested. Instead, she recommended the use of techniques such as gamification, or even board games, that staff could be encouraged to play together. Where these and similar methods are tried, she claimed, evidence shows that individual members of staff often actually start talking to each other about security issues. “If we can achieve that then half the battle is won: the more they talk about it, the more you get real engagement and get staff to work with you,” said Sasse.
In the panel discussion on creating a secure user culture that followed her presentation, Jonathan Kidd, CISO at Hargreaves Lansdown, also advised audience members to try to find ways to make staff feel more comfortable to talk freely about things that they or colleagues had done that they later realised might create or exacerbate security risks. There should be less punishment of those who had made mistakes and more praise for those who have done the right thing, he argued. But Sasse also pointed out – to applause from some in the audience – that often the best way to improve IT security was to upgrade the IT infrastructure. “Probably half of all security problems are down to crap IT,” she said. “Instead of spending money on security as a sticking plaster, get that infrastructure sorted out.”
Another panel discussion considered the work that could and should be done to help improve an organisation’s security posture by building better security practices into software coding and design. Adrian Asher, CISO at the London Stock Exchange Group, suggested that one thing businesses could do to encourage best practice in this area would be to point out to developers and software engineers that becoming more skilled in producing secure code will make them more valuable as employees. This seems particularly relevant to developers working in-house or as contractors within the financial sector. “Any developer that writes secure code is more marketable, so I would say to them: get those skills and then either get more money where you are, or go somewhere else and get more money there,” said Asher.
The first presentation of the second day of Infosecurity Europe fell into the category of keynote addresses that have almost no connection with the central theme of the conference. In this case, however, as it was the day before the General Election, broadcaster and author Jeremy Paxman could probably be forgiven for talking about politics. The tenuous connection here was trust, and in an enjoyable if deeply cynical speech Paxman proceeded to be incredibly rude about most high profile politicians, highlighting the many times they show themselves to be untrustworthy. In a short Q&A at the end some audience members made futile attempts to pull the conversation back to cyber security topics. Asked if he thought the UK’s top politicians had much understanding of the cryptographic technologies that have become so important in combatting cyber crime, Paxman retorted: “How on earth should I know?”.
Another keynote session that offered far fewer laughs was also undoubtedly more relevant to the day-to-day experiences of many in the audience: it considered the processes and challenges entailed in trying to attain compliance with the GDPR. Cameron Craig, deputy general counsel for data privacy and digital and group head of data privacy at HSBC, noted that one of the big problems for many organisations is simply understanding the ways in which GDPR differs from existing data protection legislation. Although this continued to cause HSBC and other companies in the financial sector a great deal of trouble, he also acknowledged the extent of support and guidance that the Information Commissioner’s Office (ICO) is providing to help businesses moving towards compliance.
Craig also noted the different ways in which working on GDPR was particularly helpful to financial companies already seeking to improve data management in general. GDPR compliance should not just be seen as a “burden”, Craig said, but as an opportunity to leverage data management to develop new FinTech solutions and, ultimately, to gain the trust of the customer in a company’s brand. In the digital information economy – and particularly in the financial sector – nothing is so important to a company’s success as gaining and keeping that trust.