In the past two years, a slew of organisations from Sony to the Serious Organised Crime Office (SOCA) have been hit by high-profile security breaches and attacks on systems. At the same time, sensitive personal data has been compromised through negligence, such as in the recently reported loss of USB sticks containing unencrypted NHS patient data.
It has become abundantly clear that for all the corporate and government focus on compliance, security and resilience, in many areas organisations’ information security strategy is failing them – as well as those customers whose sensitive information they store and process.
As technology and business step forward, so CIOs must continually step back and understand what any changes mean for their organisational systems, processes and policies. Today, there are few areas where this is truer than in the realm of information security.
Reports of breaches have moved beyond the online messageboards and into the maelstrom of mainstream media. Audacious attacks, damaging data breaches and arrests of hacktivist “leaders” (a term that exposes a misunderstanding about the decentralised nature of such groups) have hit the headlines, prompting a barrage of questions (but few satisfactory answers).
Some have advocated cracking down hard on those apprehended to set an example to other would-be intruders; others have railed at the negligence and incompetence of the organisations that allowed confidential information to be exposed. The headline attacks also helped spur the government’s resolve to introduce internet monitoring proposals in the Queen’s Speech, a measure which most close to the subject believe will be ineffective at combating genuine threats.
But while the actions of Anonymous, Lulzsec and other hacktivists have shone the spotlight on organisations’ information security, that spotlight is also revealing more worrying issues.
Chris Potter, a partner at PwC and co-author of last month’s government-backed Information Security Breaches Survey report, says: “Some people characterised 2011 as the year of the hacktivist and that’s certainly a factor in the doubling of breaches we’ve seen over the past two years. However, the most serious attacks don’t come from hacktivists. Generally, these more public attacks are distributed denial of service (DDoS) attacks designed to bring down a website by bombarding it with requests. Far more serious, though, are the increasing attempts to steal corporate information or commit fraud.”
Meanwhile, among (and within) public- and private-sector organisations, debates have raged over the best way to tackle the problems. To many, it’s clear the common technological approach to security – which centres on protecting the perimeter of the organisation with firewalls and anti-malware scanners, while ensuring all systems are continually patched and up-to-date – is no longer effective.
“Zero day” threats – exploits based on software vulnerabilities or malware that hasn’t yet been added to the defending software’s signature database – are always going to be favoured by serious attackers. Malware is becoming increasingly sophisticated, easy to use and hard to detect. “Botnets” of compromised (often consumer-owned) PCs can be remotely commanded to do the attackers’ process-intensive bidding.