Top five takeaways from Computing's Enterprise Security & Risk Management Summit

The year 2017 in cyber security

Last week was Computing's Enterprise Security & Risk Management Summit, an all-day event hosted in London, at Tower Bridge.

As ever with our annual exploration of the hottest topics in IT security, a lot of ground was covered. But what were the biggest takeaways by attendees? We've put together a list of some of the more interesting nuggets.

One third of UK organisations would pay up for ransomware

Perhaps our most alarming finding of the year, it turns out that a fairly massive 31 per cent of UK enterprise is between "quite likely" and very likely to cough up to crooks following having their data ransomed.

Computing Technology Analyst Peter Gothard described this rise in willingness to pay off attacks as "a knock-on from the seemingly unstoppable force of cheap and cheerful ransomware" that resulted in the widespread appearance of WannaCry and NotPetya early this year, making a particularly profound effect on the NHS.

"While the [WannaCry] ransomware was pretty unsophisticated in itself, it still managed to affect at least 81 out of 231 health trusts across the UK, either directly or indirectly," he observed.

"The National Audit Office's ensuing investigation revealed, and I quote, ‘an absence of clear guidelines' on how to carry out a plan, which seemed to ensure there'd be another attack based on the same code.

And then we got NotPetya just a little while afterwards - both based on the EternalBlue SMB exploit, and thus both capitalising on versions of the same fault."

Gothard warned that "all indicators say that ransomware, now it's proving lucrative and scary, is not going to abate any time soon" and that while enterprise boards now appear to be sitting up and listening in the face of genuine effects and repercussions, board members still need to "digest the facts" in order to begin adequately funding CISO action against properly protecting organisations.

Ransomware is a growing and present threat, says the National Crime Agency

Backing up Computing's keynote observations around the growing threat of ransomware, the National Crime Agency's head of technology Paul Edmunds offered another reality check for delegates.

"[Ransomware attacks] are quite sophisticated and the people who are making them are very good at what they do," Edmunds said.

Experiments carried out by the NCA revealed exactly why WannaCry ransomware spread so quickly, infecting NHS Trusts, shipping and logistics firms and many other organisations in a matter of hours.

"We ran some tests on it in our sandpit," said Edmunds. "We saw it infect the sandpit and then it went absolutely crazy, scanning the local network for machines it could deposit its payload onto and actually scanning machines on the open internet as well at random to see how fast it could spread. That accounted for the speed it spread through networks; it was that extra bit of code added on."

So basically, watch your backs. And your firewalls.

Top five takeaways from Computing's Enterprise Security & Risk Management Summit

The year 2017 in cyber security

To move forward with cyber security, we have to battle our own complexity

Some of the wisest words of the day came from Darktrace co-founder and director of technology Dave Palmer.

"I don't believe there is any meaningful narrative around battling attackers," said Palmer.

"We can't influence attackers, but we can start dealing with our own complexity and having a better grip of what's going on there."

Palmer said that with IoT there's "an awful lot of hype out there" but "when you get to the underlying sciences, they're just fundamentally new ways of handling the complexity".

Palmer argued that the correct approach in a time of more ferocious attacks is top stop relying on security professionals to "imagine all future risks" and start properly handing the process over to software algorithms.

Identity management can transform your end users' security story

CA Technologies' principal consultant Grant Clements proposed that business transformation is defined by personalisation, making the user experience "better and easier".

Indentity and access management, said Clements, should be "moving responsibility to the business", making security simple for employees, which encourages adoption and - presumably - takes the onus off individual employees to safeguard so many systems.

This, of course, feeds into privileged account management, which Clements (and the audience) felt was the biggest risk to security. It is a depressing fact of cyber security that the higher up the business you go, the less technical knowledge exists; privileged users are often the most dangerous. System, app and cloud service management is important to gain continual insight into what these users are doing.

"GDPR - just get on with it!"

Finally, after showing a slide revealing that 6 per cent of the UK enterprise class GDPR - which hits in May 2018 - as "not on the radar", and 13 per cent ‘waiting and seeing what others do', while 42 per cent are just ‘starting to prepare', Computing's Peter Gothard lost his temper, sternly addressing the audience with the stark warning:

"Not much more to say about GDPR - just get on with it!"

A minor Twitter meme followed, but will anybody actually listen this time…?

It's just five months to go!