Cyber Risk Security: 14 is the new 8

Cyber Risk Security: 14 is the new 8

The CBI Cyber Risk Security Conference attendee line-up included a few companies who make their living scaring you about cyber and data exposures. As such, the event had the potential to revolve around these companies pushing their products to the audience. Thankfully, it wasn’t, and companies such as CGI, Sophos, Siemens and NCC delivered fascinatingly insightful talks and demonstrations – simply raising awarenes sand understanding amongst the audience of corporates. There were so many interesting sound bites, information and ‘oh really’ moments – but we can only list a few here.

There was a real sense that the UK is a global leader in cyber security. Following the introduction of the Cyber Security Strategy Review in 2010, the UK government has taken a leading role, and the 2015 Strategic Security and Defence Review will take that work to a new level.

The UK government clearly sees cyber security as a mainstay of the economy, providing investors and global traders with a location to securely store data and information. As such, the UK will only stay on top of trade if it continues to provide a safe business environment.

Some sound bites:
1. Only 25% of UK company directors are engaged or involved with cyber security risk. Clearly, the remaining 75% are nearing the point of being negligent by leaving the issue to others. The conference agreed that cyber risk was just another business risk that needs to involve everyone in a company.

2. The biggest cause of cyber/data failure is human. Machines do not commit crimes, people do. A culture of risk awareness is absolutely vital because trust, curiosity and thoughtlessness are the issues that create the biggest opportunities to cyber criminals.

3. 98% of company security breaches would be prevented if basis protocols, as per SANS Institute guidelines, ( were followed.

4. As software becomes more secure, we’ve seen a big surge in the return to Document Malware Infections. In the old days, these were easy to detect because they were badly written, looked suspicious and came from weird looking addresses. This has changed significantly – new documents look real, are well-written and even give security guidance. Click on them and malware is in your system.

5. Around 350,000 pieces of NEW malware code are sent out everyday.

6. 30,000 web pages are infected everyday, of which 80% are SMEs. Click on the page and the malware enters your system.

7. 14 is the new 8 when it comes to the password system. While a hacker can take up to 3 days to hack a password of 6 to 8 letters, it can take several months to hack a 14-character password. The tip here was to select a saying or a line from a song (‘ScaramoucheScaramoucheWillYouDoTheFandango’anyone?)

The presentations by Sophos raised some interesting points:
1. The Deep Web is a fascinating and mysterious place – it’s easy to buy hacker ‘Exploit’ kits online that teach anyone how to hack a website.

2. Hackers are selling their skills in the Deep Web. Sophos brought up a site showing a very simple interface, where dozens of hackers sold their skills on a per-job basis. A DDoS attack on a competitor’s website it will cost you $300. Hacking someone’s smartphone? Just $50 will get you get you all the info you need. Want to hijack a site and demand a ransom to release it? That will be $1000.

3. Sophos set up a ‘Free Wi-Fi Zone’ in an area of New York with two laptops and a couple of other bits of kit. They purchased a domain name for $15, a logo for $5 and a security-rating package for $30. They then allowed people in the street to connect for free. The users didn’t even read the security notice – but by connecting Sophos could read everything on their phones, tablets and laptops, and collect other data (including employer information via emails). On average people took just 1.3 seconds to connect. The main issue here was the ability to establish a sense of trust in a fake hacker site. In 1 hour, 2,000 people connected, but only 1% protected their company information via a VPN

The presentations by Sophos raised some interesting points:
1. Where are you as a business on ‘the security maturity curve’?

2. Only 3% of global industrial machinery is connected to the Internet, by 2020 this is expected to be 60%. The even bigger Internet of Things will connect trillions of bits of equipment.

3. There is a less than 2% take-up rate of cyber insurance cover in the UK. This is mainly by larger companies.

4. The safest browsers to use these days are apparently Chrome or Internet Explorer. Sophos was particularly supportive of IE, saying that Microsoft has made huge efforts in the past few years to make it secure

5. Incident Response Plans were poor amongst SMEs and almost none had been properly tested.

Download PDF Press Release