12 FUTURESCOT
CYBERSECURITY
28 April 2016
Unmasked:
Where the
real danger
to company
security lurks
Cyber attacks might
originate with a
reclusive teenager in
a white mask, but if
organisations want to
be safe from them they
should focus not on their
IT department but on
their boardroom.
BY WILLIAM PEAKIN
Paul Boam is speaking about his father,
a fireman for 25 years. “When he
stays at a hotel, the first thing he does
is drop his bag and walks out, via the
fire escape. He’s checking it works. At
home, before he goes to bed at night
he makes sure there’s a key in every
door so they would be no delay in getting out. He’s fastidious about alarms,
about having the right kind of fire
extinguisher. It’s because, in his job,
he’s seen some terrible things …”
Boam, a security consultant, is
reflecting on the advice he gives to
companies about how they can protect
their assets from being targeted by a
con, a cyber attack or, indeed, an artful
blend of the two – and how he leads
his own life online and in the physical
world.
“You can’t go through the mayhem
that has been caused to some of the
people that we work with and not bring
the experience home with you and
think: ‘You know what? I don’t want
that to happen to me’.”
He has a clear message for chief
executives and company boards; the
answer does not lie in technology. Yes,
technology can help protect companies
but it is as much about culture: how
executives lead their work and personal lives, the practical measures that
a company takes to protect its assets,
and how confidence can be instilled in
employees to challenge any attempt –
overt or covert – to circumvent those
measures.
The number of recent high-profile
hacks of company data – among them
Target and Ashley Madison in America
and Talk Talk here – has encouraged a
belief that cyber security is a black and
white issue; that the threat is technological, the solution is technology and
it is all down to the IT department.
Wrong, says Boam, who is technical
director for the Stirling-based firm
Net-Defence. Technology can provide a
layer or layers of security, but companies are vulnerable in a myriad of ways
and human behaviour is often the most
significant.
LAST JULY, a global healthcare
company lost £18.5m when a fraudster
telephoned its finance department in
Scotland and requested money to be
transferred to accounts in Hong Kong,
China and Tunisia. The financial controller believed the man to be a senior
member of staff and exchanged several
calls with him as well as emails.
The scam involved a combination
of social engineering, based on what
Boam describes as ‘open source intelligence’ – information available on the
internet and social media – and digital
manipulation; spoofing the executive’s
email address, something which Boam
says is easy to achieve.
According to the FBI, impersonating
the email accounts of chief executives has cost businesses around the
globe more than $2bn in a little over
two years. The FBI has seen a sharp
increase in ‘business email crime’,
a simple scam that is also known as
“CEO fraud”, with more than 12,000
victims affected globally. The average
loss is $120,000 but some companies
have been tricked into sending as much
as $90m to offshore accounts.
“It is about your business’s culture
and it has to be led from the top,” says
Boam. “You can’t pay lip service to it
because if you do you will be compromised in some way. It involves a
combination of people, processes and
technology. Irrespective of where they
reside, they can lead to a multitude of
risks. It doesn’t necessarily have to be
in relation to cyber; that’s just one way
that the risk might manifest itself. The
chief executive and people at executive
level have to take ownership of all the
risks and not just consider it to be an IT
problem.
“If we speak to a business, have a
conversation around risk and security,
and they say: ‘You need to talk to the
IT director’, then we know we have a
challenge. It’s not about technology; it’s
about people. Management systems
are at the core of the most effective
security. If they are embedded at a
senior level, at corporate governance
level, they work. The further they move
down, away from corporate governance, the less chance they have for
success. Boards need to truly understand the risks they face.”
A REPORT BY IBM earlier this year
revealed a disconnect between technology leaders in companies – chief
information officers, for example – and
the rest of the executive team. It found
that chief marketing officers, chief financial officers, chief human resources
officers and even chief executives were
“Recent high-profile hacks of company
data – among them Ashley Madison
and Talk Talk – has encouraged a belief
that the threat is technological and the
solution is technology. Wrong.”