Moving into the autumn the current mood at the e3 is one of change.
Updates, reboots and clandestine operations taking place in the server cupboard all indicate that the company infrastructure is going through some pretty important changes. While they may not interfere too much on a day-to-day basis (no more than the two minutes it takes to restart your desktop) they are essential to keep the agency at the forefront of what we do. Hardware and software require regular improvements so they continue to perform at a competitive level, however the majority of the changes are made to ensure our business systems remain safe and secure.
Adoption of ISO/IEC:27001 Information Security Management standards has been a priority for e3 ever since we were appointed as an approved supplier for the government G-Cloud framework. Regular security reviews are crucial to our continual work with the Royal Navy. There have also been new requirements in the form of the government's Cyber Essentials and Cyber Essentials Plus scheme, which launched in June 2014 as an industry-supported benchmark of security measures and practices for SMEs. For just over a year now, compliance to the scheme’s Assurance Framework has also been a requirement for any supplier bidding on government contracts that might handle personal or sensitive data.
Some might see the introduction of a government-led initiative as a costly interference. The industry already does a good job of managing its own affairs when it comes to security, as is the case with ISO/IEC or other standards bodies. But such measures are important to coordinate the efforts of the users, not just providers, and to build confidence and integrity in an industry that must continually adapt to the problems it faces, whilst also feeling their effects.
The recent and arguably more cohesive response to managing and protecting UK digital interests has thankfully come at a time when, publicly, information security is starting to appear increasingly important, particularly in the eyes of tech industry who have a vested interest in which policies become legislation. With private citizens’ personal data in some cases only a login screen away, a serious incident could potentially affect a lot of users.
Cyber security is huge business. The market is expected to grow to almost £120 billion by 2020 and the estimated global cost of cybercrime is £266 billion annually. As the power of the web increases, so does the cost of protecting its legitimate users. Impractical regulations can only add to this cost. Twice if they don’t work. Those within the industry will likely know enough of the pitfalls and risks to maintain some vigilance and avoid any embarrassing mishaps. However, in the last decade an increasing reliance on information broadcast through the internet has become unavoidable for almost all aspects of modern everyday life. Any breach therefore almost instantly becomes public.
2015 saw a spate of high-profile attacks, breaches and other disruptive activities, targeted against popular brands such as Carphone Warehouse, JP Morgan Chase and Ashley Madison. Cast your mind back to late October 2015 and the breach of TalkTalk’s customer data that took place during a DDoS attack. A perhaps somewhat ironic interview at the BBC with TalkTalk CEO Baroness Harding featured her making a token apology to customers for security failures, sat in front of a computer running Windows ME.
Microsoft ended extended support for its last OS of the 9x series in 2006 which just goes to show how much outdated tech is still knocking around out there. Microsoft only put Internet Explorer out to pasture earlier this year.
Last year an ‘anti-IS’ group going by the name of New World Hacking launched a DDoS attack which brought down some of the BBC’s digital services for a few hours on the morning of New Year’s Eve, apparently as a test of their own capabilities. While DDoS attacks by their nature do not prey exclusively on poor security, they can be expensive, disruptive and the fallout still incurs the cost of computer forensics experts to track down those responsible.
Pure technical failure rarely accounts for stolen information but the failure to use technology correctly can been disastrous. Weak passwords, outdated software, anti-malware suites and flawed procedures all contribute to the cybercrime cause.
Many attackers begin with reconnaissance in the form of phishing scams that trick users into installing malware or persuade them to reveal their credentials in the belief that a website or correspondent can be trusted. We are human and we all make mistakes. Computers on the other hand, just do as they are programmed. So when (not if) something goes wrong it can usually be attributed to human error in one way or another.
So what do we need to do to become more cyber savvy? The short answer is, not a lot actually. Everyday users are unlikely to be the target of a focused attack. Nor are they likely to find themselves protecting terabytes of financial data. But that’s no reason to get sloppy.
These days ‘123Bob’ won’t cut it. Short, uncomplicated passwords are just far too easy to crack, even without the use of a supercomputer. A quick online search will yield lists of common words, phrases or leaked login credentials that people have used in the past. With brute force methods a hacker will go as far as attempting any possible combination of allowed characters until a match is found. The shorter the password, the quicker this method can be, with some security researchers claiming it take just six hours to guess every possible 8 character windows password.
The lesson here is clear then: don’t use common words or phrases, avoid names, obvious number sequences or memorable date fragments as these could be personally identifiable and easier to guess. 10 characters or more is a good start and varying the case improves complexity. As does adding random numbers and symbols. Preferably the entire password should contain no general language terms and you should be changing it every few months.
Access through a compromised account is one way to get into a system or server and once inside if the information held there isn’t encrypted then it’s game over and all other security measures have been in vain. With the use of strong encryption, even if the data is stolen the thief is unlikely know the key to be able to decrypt it.
To brute force crack a 128-bit AES encrypted key with today’s most powerful supercomputer would still take longer than the universe is likely to exist, so your data is theoretically safe forever, but still stolen. Since Roman times cryptography has been by far the most effective method for keeping unwanted eyes from reading your most prized secrets and it is still very much the last line of defense before resorting to total destruction of the storage medium.
Not the publication. Although as far as I’m aware they have never suffered a breach.
This is more to do with the way we handle sensitive information not held on a computer. ‘Clean desk policies’ for example encourage us to be more careful with the data we leave on display, keeping documents locked away rather than left out on a desk overnight. Similarly, writing down a username and password should never happen but if it is an absolute necessity they should never be written together on a post-it note and stuck to your monitor. To quote convicted hacker turned security consultant Kevin Mitnick: “Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain”.
Security is a top priority for everyone nowadays, from data conscious millennials online, to physical airport terminals. Everyone is keen to become more safe. How do brands and companies create a secure digital experience for everyone that promotes trust and transparency in an untrustworthy time?
e3 is hosting a free event for senior brand marketers concerned about the pressures and pitfalls of online security in the age of personalisation – and discussing how to make a secure experience a better one. With Bristol Airport sharing their latest 24/7 security approach, this is a must-attend event. Register here for your free ticket.
For more information about how e3 helps some of the world’s most secure companies stay that way, contact firstname.lastname@example.org