Conference review: Infosecurity 2018

Infosecurity Europe 2018 provided visitors with a blend of warnings about familiar risks and new reasons to feel anxious. At the first post-GDPR show, talk of data protection policies competed for attention with eye-catching tales of nation state attacks and evolving threats related to the Internet of Things (IoT) and artificial intelligence (AI).

The opening keynote on day one was delivered by Baroness Dido Harding, now chair of NHS Improvement, but formerly chief executive at TalkTalk when the company was hit by a major cyber attack in 2015. That had resulted in the leak of almost 160,000 customers’ personal details and a record £400,000 fine for the company from the Information Commissioner’s Office (ICO).

Harding said the attack was caused by the company’s reliance on legacy technology - targeted by a conventional SQL injection attack - which she described as “the IT equivalent of an old shed in a field … covered in brambles… all we saw was the brambles and not the open window”.

Even if many were frustrated by the Baroness not wanting to be pinned down in relation to mistakes TalkTalk made in 2015, it was good to see a former boss who had been through such an experience being prepared to get up on stage and talk about it – something that would have been impossible to imagine just a few years ago.

Other presentations on the first day included a description by cyber security consultant Jessica Barker of work with a major European financial services organisation to create a risk-aware culture. She described talking to people across the organisation and discovering that a strong awareness of cyber security issues was overwhelmed by a “fear-based culture” that discouraged employees from reporting problems or concerns.

To change that culture, the company ran events including hacking demonstrations, sessions in which staff were encouraged to try to draft their own phishing emails, and a family day when staff could learn how to protect their families against cyber threats. It also established a champions programme, with people volunteering to be cyber security champions across then business.

On day two, Paul Chichester, director of operations at the National Cyber Security Centre (NCSC) discussed the organisation’s key mission - “to protect everybody from everything” - and its role in helping to coordinate responses to major incidents, such as the WannaCry ransomware attack in May 2017. Acknowledging critics who said the NCSC had been slow to issue guidance, Chichester said that in future it might “be braver” in the event of a similar incident and issue guidance at an earlier stage, with the caveat that it might then need to change as further intelligence became available.

He was joined on stage by Infosec stalwart James Lyne, head of global security research at Sophos, who described current and emerging threats. He highlighted the continuing use of old-fashioned file and document-based malware and phishing attacks. Some examples have been in use for years, yet still work, because they prey upon human gullibility and greed. They remain popular in part because advances in security technology mean browser-based attacks are now more difficult and expensive.

Lyne provided some entertaining illustrations, such as the spreadsheet that looks as if it will reveal the salaries of everyone else in your office, and a harmless piece of malware that locks up your computer temporarily, administers a severe telling off for your poor security habits, then unlocks the machine again and uninstalls itself.

He also revealed some interesting effects of market forces on cyber security threats. It is now possible not just to buy readymade ransomware, but also to buy ‘freemium’ versions, that ask for no up-front payment in return for taking a majority of the income derived from its use.

Troy Hunt, Microsoft regional director and founder of the Have I been Pwned? service, stressed the need for organisations to think very carefully about all the software they are using within their IT estate, highlighting the case of thousands of US government websites being exploited by cryptocurrency mining software embedded in a widely used plugin called Browsealoud.

He also made a point upon which every organisation reviewing data protection, security and incident response strategies should reflect. It is increasingly the case, said Hunt, that consumers and other service users are now “judging organisations more on their response to an incident than on the fact that they had a breach in the first place”.

Food for thought – and also the reason why some former TalkTalk customers might have bristled at Baroness Harding’s fluent, yet slightly evasive, mea culpa in her speech on day one.

    Share Story:

Recent Stories

New Business Frontiers
FStech’s Mark Evans discusses the future of financial services with Liu Jianning of Huawei, covering the limitations that current thinking can impose, how financial institutions can embrace technology to be both agile and resilient, and making space for the organisation to focus on the job of creating innovative business models and on delivering business value for their customers.

The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.