Forensic Focus attended the FT Cyber Security Summit in London on the 3rd of September. This article is a recap of some of the main highlights of the event.
The Cyber Security Summit brought together speakers and interested parties from law enforcement, international government, computer science and elsewhere to discuss the unique challenges around cybercrime investigation and its implications for international security.
One of the strands running through several discussions throughout the day was the issue of encouraging small businesses to take cyber security seriously. Whilst the larger players, particularly in the technology and finance fields, tend to do what they can to ensure that their businesses are secure, this is not always the case with SMEs. And with several of the larger corporations utilising services from these smaller businesses, their security becomes an issue not just for their own businesses but for others as well.
The priority, according to several of the speakers, is to make small companies understand that it is possible to make money by being good at security. Often cyber security is seen as an optional add-on as soon as the basic antivirus and password requirements have been met, and one of the main reasons for this is that security is seen as too expensive; too much of an outlay and not enough of a reward. Small companies therefore need incentives to push them into taking cyber security seriously, and one of the ways to do this is to ensure that they understand the potential financial value of having a strong cyber security policy in place.
The UK government has been working with small businesses over the past few years in an attempt to address this issue; campaigns such as Cyber Essentials and Cyber Streetwise are targeted towards small business owners and members of the public to make them understand the risks and rewards associated with this area. However, much business-to-business activity takes place internationally, with companies in the UK frequently trading with those overseas. This makes the challenge of helping small business owners to understand the importance of cyber security into an international discussion.
One of the greatest problems seemed to be a lack of knowledge regarding the questions representatives should ask when dealing with other companies. A possible solution that was brought up several times throughout the summit was that of mandatory breach reporting for companies. However, after much discussion the general consensus seemed to be that, whilst this would be useful for governing bodies and companies wishing to outsource projects, it would promote a lack of trust among SMEs and the public. A less draconian alternative would be to encourage auditors, investors and potential clients to pose the right questions so that they can come to their own conclusions. Once again, the answer seems to be in education.
This discussion led into a debate about the role of the state in cyber security, both at the professional and personal levels. It was estimated that roughly 5.5 million UK IP addresses are currently infected, most of them domestic users. Should an alert to this effect be displayed on browsers when a user logs on? Would it have any effect?
The difficulty here lies in making people understand how to ensure that their personal details are secure. Paralleling small business owners, members of the public seem reticent to expend time, money and effort on cyber security initiatives, in part because it seems like a complex process, and also because there is a lack of understanding of just how great the risks can be.
Behavioural science was brought in as a talking point – understanding why people think the way they do, and why they are willing to take risks online which they would never take with their homes and belongings, for example. Perhaps, it was posited, there should be increased responsibility for citizens who refuse to ensure their own online security. Rather than compensating people for loss of data or financial breaches online, some felt that it would be more effective to allow the public to “feel the pain” in order to understand why security is so important.
All of these discussions are happening at a time when public opinion of state interference in cyberspace is fraught with uncertainty; in the light of the Snowden revelations, many people are newly suspicious of government initiatives, as well as being more wary of sharing personal data with social networking sites and similar online businesses.
The general consensus from government and commercial representatives alike seemed to be that it is important to help both businesses and members of the public to keep themselves safe, but that without educating them sufficiently about the dangers and the methods needed to combat these, any attempts to help have a diminished effect.
The responsibility therefore falls back somewhat onto the individual; if company representatives can persuade their board members that cyber security is a necessary part of running a business, and if members of the public can begin to understand what they need to do to keep themselves secure, and why it is important, then government interference can be kept to a minimum and cyberspace can be a safer place for everyone.