Build security into the fabric of your organisation

May 29, 2018

Use the lessons learned from past attacks, ensure security is a high priority in the organisation and train staff appropriately, plus source solutions that are both reputable, transparent and independently audited.

This article by Wire co-founder and CTO/COO Alan Duric appeared originally in SC Magazine in March, 2018.

Defending against cyber-threats is like playing Jenga, one loose block can lead to the entire tower to become weak, and eventually bring it tumbling down.

A boy playing Jenga

In September 2017, Adobe narrowly avoided this situation when it accidentally released its private PGP (Pretty Good Privacy) key on the company blog, leaving reams of internal and customer data vulnerable to infiltration by third parties. Luckily, the blog post was taken down promptly. The ramifications could have been enormous for Adobe if the mistake hadn’t been discovered quickly and the key ended up in the wrong hands.

This little “accident” exemplifies a wider issue, which goes beyond companies being irresponsible with data.

Humans are the weak link

An alarming number of data breaches are caused by human errors like this. A report by London-based consultancy, Willis Towers Watson found that 90% of all cyber-security incidents are by human error or behaviour. Given that almost half of UK firms were hit by a cyber-breach in 2016/2017, it’s clear that there is a lack of attention to security within businesses.

Part of the problem lies in a general organisational apathy towards training and awareness of security processes. eBay, for example, was victim to a hack in 2014 which leveraged phishing attacks, ultimately leading to the personal information of 145 million customers being exfiltrated through gaining access to as many as 100 employees’ credentials. Surprisingly, this issue went unnoticed for many months, and ultimately resulted in eBay lowering their annual sales target by US$ 200 million (£140 million).

A company as big as Adobe or eBay needs to set an example for corporate responsibility, but all firms, regardless of size, must protect their customers, and shareholder value. These slip-ups are indicative of the lack of investment in security. Ultimately, the issue at Adobe was due to security not being built into their applications and procedures from the ground up. A checking systems or authentication procedure would have avoided releasing something as critical as a private PGP key in a public blog post.

The problem with legacy systems

Legacy systems like Pretty Good Privacy (PGP) place an unnecessary burden on companies, and especially on its employees and leave too much room for error even with proper training. Ironically even the inventor of PGP doesn’t use it because it’s not user- friendly enough.

patryk-gradys-128898-unsplash

Other older systems like secure shell (SSH) keys have been compromised in the past for the same reason. In 2014, JPMorgan Chase experienced a breach after the bank’s security had forgotten to implement two-step verification on one of the network servers. As a result, the firm spent around US$ 250 million (£176 million) annually on information security and pledged to employ 1,000 people in its tech teams and train them specifically for the security roles to prevent a similar breach occurring again.

The fact is that solutions that offer similar level, or even better security, exist today, and are also designed and built in a way that makes them easy to adopt and use by regular staff members.

Off-the-Record Messaging (OTR) and Proteus are great examples of communication protocols that hide the complexities of end-to-end encryption.

One legacy system that suffers from a lack of built in security is email: as many as 97% of phishing emails contain a form of ransomware. Much of this comes down to employee error, as alarmingly, 45 percent of people click on unknown links despite knowing the risks. In fact, systems like PGP are still commonly used in securing email, so it is clear that email in its current form, even with protections like PGP on offer, can no longer be trusted in sharing sensitive information, unless their security design has a serious overhaul.

Building security from the ground up

Applications must be designed from conception with security at the forefront, and end-to-end encryption provides this. With plenty of systems on the market, the challenge is in finding a solution that fits a business’s need and identifying trustworthy applications. Companies need to know that their applications are safe from the prying eyes of cyber-criminals and malicious actors. They can do this by determining their company needs and implementing an appropriate security solution into their model.

cindy-tang-25654-unsplash

With up to 92% of reported vulnerabilities found in applications, not in networks or arriving via the internet, it is vital that companies do their due diligence. Apps must be thoroughly checked and audited before they’re considered for use. This isn’t happening enough today. One stark example comes from August 2017, when Lockout Security Intelligence found SonicSpy malware, which integrates itself into phone apps to silently record audio or send other communications remotely, in over 1,000 apps on the Google Play store.

Clearly companies are playing with fire if they make lazy choices when it comes to their security, which is why they need to source solutions that are both reputable, transparent and independently audited.

Picking and deploying open source solutions is key. This enables companies to see exactly what has gone into that piece of software. Using open source, audited solutions as the foundations of an organisation’s security will instill confidence in customers, and makes security a selling point against competitors.

Looking to the future

Privacy and protection of data should not be an afterthought. The upcoming EU’s General Data Protection Regulation mandates increased attention and protection of sensitive data from May onwards.

Organisations need to review and likely change their own business processes and internal software, but also audit third party solutions that manage their customer data. End-to-end encrypted solutions offer an advantage as data leaks are impossible by default.

Safeguarding against potential attacks has also become increasingly important as smart, connected devices and automation become the norm. It’s too late to realise that your security isn’t up-to-scratch after an attack has occurred. After all, it’s all too common to read another article about how easy it is to hack baby monitors or security cameras.

No matter if your business is building its own solutions or relying on development and manufacturing partners elsewhere you must choose the right technology. Look at end-to-end encryption again. Proteus protocol offers multi-party, multi-device communication (device-server-user) and IETF is working on a standard encryption protocol that the whole industry will hopefully adopt.

Give your IT security team a front row seat when designing and implementing products and procedures, or adopting software for internal use. This is crucial to deal with the current and future challenges of the industry, or be prepared to pick up the pieces when your business falls apart.

Alan Duric, co-founder, CTO/COO, Wire

← Back to all posts