IET Central London Evening Lecture, Savoy Place, London, 14th March 2018.
The audience in the Turing Lecture Theatre appreciated the talk given by Shadi Razak, the Chief Technology Officer of CyNation, a top cyber security company.
We are entering a new world: the world of things, and the boundaries are blurring ...
Prepare to be scared, very scared; ask the right questions, put up our defences and adopt the concept of cyber safety.
Important note: These are the author's personal recollections and interpretations, which are likely to suffer from errors and selectivity. There is no endorsement from the IET or the speaker.
Data is the new oil: we're all fountains of data and it's valuable.
There's been a move from products to services, with the providers holding billions of items of data on us, and all aspects of our lives. We can't keep our data to ourselves; 70% of data losses and security breaches come from our providers (such as FedEx, Dominos) with about about 10% of our data turning up for sale on the dark web.
Shadi explained how data flows throught all the components of the system: Infrastructure, Business Processes (payments, sales, HR), Applications (Finance, Admin, Logistics, Heath care) and Data. If we order a laptop, with customisations, our data is sent to different parts of the business all over the world.
There was the case of a personalized Barbie doll that stored all the customer data on a chip inside it - this proved very easy to hack into.
Ask ourselves this question: Who and what has access to our data? Nobody knows! Who controls it and keeps it private?
We looked at three mechanisms through which data can be compromised:
- Website developer attack: Legitimate business websites are infected.
- via a 3rd Party Software provider: Infection of a critical SCADA system (a power network, for example) has happened already, and is a topical threat currently posed by Russia (potentially).
- 3rd Party Data Stores: Backdoor access to your data storage e.g. people can steal all your data during a backup.
Look at a smart factory: A scary situation, as hackers can take control of it all. This has happened to a major toy maker. Someone hacked into a fire alarm system and, when everyone had left the building, they get in and stole everything. They could gain control of your robots and hold you to ransom.
Imagine what could happen at your home with devices such as Amazon lock, a baby monitor etc. It only needs a simple bit of code. Even the ICO website was hacked so that all visitors had their pc's infected to mine bitcoins.
An integrated world requires integrated data privacy and protection: compliance and cyber security are two faces of the same coin.
To secure a digital business we need:
- Transparency: People should know how you are processing and using their data, and who is being given it
- Duty of Care: Look after your pet, or it will bite you one day; it's the same with data systems
- Due Diligence: Take active steps to protect the data
Five steps were recommended:
- Discover: Map your digital footprint; load balancing could move your data across the world. Define and classify your data; what is the minimum needed? Map your data flow: don't hand out superfluous data
- Assess your data risk: You can't protect everything. Consider the Data Type, Data Context and Business Context. Define your vulnerabilities and the risk profile. Determine the mitigation strategy. Are there any legal obligations? Prioritise according to the assessed risk.
- Protect your Data: Block malicious data theft - it's not difficult or too expensive; prevent accidental data loss; use password protection on all documents and attachments. Mask data that is not needed. Use encryption. Remember that criminals look for easy targets; if we discourage them, it won't worth their effort. Develop your incident response plan and the responses. You only have 72 hours to report any breach, or risk huge fines!
- Control the data flow:
- Monitor Data Security & Compliance in real time; can use AI and machine learning.
In conclusion, we should be moving to the concept of cyber safety. Just imagine that it was your car or the school bus that got hacked...
Really scary stuff can happen. Ask the questions and stay safe!
Q & A:
- Proprietary software: Is it good? Does it work? You just don't know what's in it. May need validation. Don't just accept that it is Ok.
- What GDPR questions to ask a Content Delivery provider? Get the answers written down. Get copies of certificates procedures etc.
- We must give the data information to the supplier: what you need it for, the outputs you need. You have the right of clarity from the supplier about how their system makes the decisions eg a mortgage offer should be clearly justified.
- How much can the Public sector monetise from the data they collect? eg Oyster and wifi use. They need the permission of the data owner explicitly.