FutureScot, 28 April, 2016 2 - Page 12

12 FUTURESCOT CYBERSECURITY 28 April 2016 Unmasked: Where the real danger to company security lurks Cyber attacks might originate with a reclusive teenager in a white mask, but if organisations want to be safe from them they should focus not on their IT department but on their boardroom. BY WILLIAM PEAKIN Paul Boam is speaking about his father, a fireman for 25 years. “When he stays at a hotel, the first thing he does is drop his bag and walks out, via the fire escape. He’s checking it works. At home, before he goes to bed at night he makes sure there’s a key in every door so they would be no delay in getting out. He’s fastidious about alarms, about having the right kind of fire extinguisher. It’s because, in his job, he’s seen some terrible things …” Boam, a security consultant, is reflecting on the advice he gives to companies about how they can protect their assets from being targeted by a con, a cyber attack or, indeed, an artful blend of the two – and how he leads his own life online and in the physical world. “You can’t go through the mayhem that has been caused to some of the people that we work with and not bring the experience home with you and think: ‘You know what? I don’t want that to happen to me’.” He has a clear message for chief executives and company boards; the answer does not lie in technology. Yes, technology can help protect companies but it is as much about culture: how executives lead their work and personal lives, the practical measures that a company takes to protect its assets, and how confidence can be instilled in employees to challenge any attempt – overt or covert – to circumvent those measures. The number of recent high-profile hacks of company data – among them Target and Ashley Madison in America and Talk Talk here – has encouraged a belief that cyber security is a black and white issue; that the threat is technological, the solution is technology and it is all down to the IT department. Wrong, says Boam, who is technical director for the Stirling-based firm Net-Defence. Technology can provide a layer or layers of security, but companies are vulnerable in a myriad of ways and human behaviour is often the most significant. LAST JULY, a global healthcare company lost £18.5m when a fraudster telephoned its finance department in Scotland and requested money to be transferred to accounts in Hong Kong, China and Tunisia. The financial controller believed the man to be a senior member of staff and exchanged several calls with him as well as emails. The scam involved a combination of social engineering, based on what Boam describes as ‘open source intelligence’ – information available on the internet and social media – and digital manipulation; spoofing the executive’s email address, something which Boam says is easy to achieve. According to the FBI, impersonating the email accounts of chief executives has cost businesses around the globe more than $2bn in a little over two years. The FBI has seen a sharp increase in ‘business email crime’, a simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected globally. The average loss is $120,000 but some companies have been tricked into sending as much as $90m to offshore accounts. “It is about your business’s culture and it has to be led from the top,” says Boam. “You can’t pay lip service to it because if you do you will be compromised in some way. It involves a combination of people, processes and technology. Irrespective of where they reside, they can lead to a multitude of risks. It doesn’t necessarily have to be in relation to cyber; that’s just one way that the risk might manifest itself. The chief executive and people at executive level have to take ownership of all the risks and not just consider it to be an IT problem. “If we speak to a business, have a conversation around risk and security, and they say: ‘You need to talk to the IT director’, then we know we have a challenge. It’s not about technology; it’s about people. Management systems are at the core of the most effective security. If they are embedded at a senior level, at corporate governance level, they work. The further they move down, away from corporate governance, the less chance they have for success. Boards need to truly understand the risks they face.” A REPORT BY IBM earlier this year revealed a disconnect between technology leaders in companies – chief information officers, for example – and the rest of the executive team. It found that chief marketing officers, chief financial officers, chief human resources officers and even chief executives were “Recent high-profile hacks of company data – among them Ashley Madison and Talk Talk – has encouraged a belief that the threat is technological and the solution is technology. Wrong.”