Connecting risk management to cyber security

By Danny Palmer
14 Jul 2014 View Comments
Connected security

The flashy new gadgets fresh from the world of consumer technology in recent years have brought huge benefits to the enterprise, with devices such as smartphones and tablets making it easier than ever to conduct business.

However, the expansion of this technology into both business and personal lives has also made it easier than ever for cyber criminals to prosper, with new avenues to exploit.

Now it’s not only PCs that are targeted, but just about anything connected to the internet could become a potential gold mine for cyber criminals as Joerg Weber, global head of attack monitoring for Barclays, pointed out while taking part in a panel discussion titled “Keeping up with security threats” at Computing’s recent Enterprise Security and Risk Management Summit.

“If you look at the evolution of endpoint security on computers, you can see how that developed over the years,” he said, arguing that criminals will “go where the money is” and currently, that’s moving towards mobile.

“In five years, you’ll see exactly the same revolution on mobile devices as you’ve seen on the PC. For cyber criminals, it’s all about how to turn that device into revenue. They will go where they can take money the most effectively, with the least amount of evidence,” Weber continued.
Such is the revolutionary cycle of cyber crime, he argued, that in future hackers will move onto other form factors, as new devices become easier to target.

“Mobile will eventually dry up as well. If they’re not able to cash in easily anymore, they’ll stop using that,” said Weber, joking that the Internet of Things could lead to some leftfield cyber-criminal techniques.

“So in 15 years, the next big thing could be exploiting fridges because every fridge will be connected and if somehow they can hack that, they will. If there’s a way of turning milk orders into money, they’ll do that.”

But while Marc Lueck, director of global threat management at Pearson, agreed that the threat landscape is constantly evolving, he argued that at this time, security personnel feel unable to suggest radical new forms of protection as they’ll lose credibility with the board, who may be slower to accept that new types of threat are coming.

“We have to be careful that we tie any recommended investment to a certain critical risk or else our own credibility is lost,” he said.

“If you were to tell me right now about how I should invest in a whole suite of ant-virus tooling on our mobile phone estate and show how you’re mitigating an appropriate level of risk against investment, I’d say yes. But right now it’s not at that level.”

Pick up the pace

Although Lueck accepts threats will emerge from as-yet-unknown sources, he warned that security personnel cannot “act like the sky is falling in,” especially when budgets can cover only a limited number of areas.

Ashley Jelleyman, head of information assurance at BT, agreed that the cyber security team should look to protect the devices which are most vulnerable or most likely to be exploited at that time, instead of gazing into the future.

“It depends on what exactly you’re allowing to be used on your mobile devices. If you have a completely feature-rich smartphone, that’s one you’re going to want protected completely,” he said, arguing that the pace of change means that there are already plenty of mobile security solutions that can protect smartphones and tablets from attack.

“There’s enough software out there to provide that protection – most anti-virus providers will sell you something that’s probably more robust than the software we put on PCs four years ago, because now a mobile phone is better than most people’s PCs were three years ago.”

Jelleyman also said it was imperative that IT security strategy “moves forward with the technology” in order to give businesses the best opportunity to prevent successful attacks by increasingly sophisticated cyber criminals, although he wasn’t as convinced as others that
his household appliances may be exploited in this fashion.

“Whether or not my fridge is ever going to try to hack my laptop, I have no idea, but I wish it the best of luck if it wants to have a go,” he said.

But that uncertainty is something the whole panel agreed represents a real challenge for cyber security professionals. After all, it’s difficult to know what cyber criminals are going to target next, or how they’re going to do it.

“I don’t know if there is training that can actually prepare us for what’s going to happen in six months or a year’s time,” added Lueck.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
16 %
7 %
19 %
3 %