‘It is all about cybercrime now’: is this true and what role then for the (non cyber) security sector?
Chair: Martin Gill
Salvatore D’Agostino – CEO at IDmachines and Co-Founder of OpenConsent
David Crozier – Head of Strategic Partnerships & Engagement – CSIT & ECIT Global Research Institute and Founding Partner Global EPIC
Pablo López-Aguilar Beltrán – Head of IT & Cybersecurity at APWG.eu
Sarb Sembhi – CTO, CISO at Virtually Informed
David Crozier discusses the wide ranging impacts of cyber crime and puts some measures on it; you will hear about costs of US$600 billion dollars, and in the UK the expectation is that cyber companies will generate revenues of £10 billion (an underestimate), and victim companies face seeing a negative impact on their share price. He notes that Covid-19 has exacerbated attacks occurring at a time when investment in digital transformation has stalled; this has inevitable increased vulnerabilities. You will hear him question whether a holistic approach is possible. He suggests digital offenders are different to physical offenders requiring therefore a different response, including the ways law enforcement is engaged since digital offenders are not typically people on the police radar.
Sal D’Agostino is an entrepreneur and emphasises the need to understand the risks in a digital environment, the people and the systems (what enters them and what leaves them, such as information) and the broader digital infrastructure. Offenders aim to be disruptive and/or make money and they go after soft targets often rendered as such by a tendency not to adhere to standards and cybersecurity frameworks in their design. He stresses the need to think like offenders in designing products. He also notes, that best practice means the need to practice, operational testing is key. He also promotes some startling statistics suggesting, in one example, that 80% of door controllers are insecure.
Pablo López-Aguilar Beltrán warns that the cost of attacks is low, offenders benefit from being able to commit offences cheaply and generate potentially huge rewards with good odds of enjoying their illicit gains without being prosecuted. He pays particular attention to the role of people noting that last year 85% of breeches had included a social engineering element. In discussing responses he highlights the specific need to engage the Board of companies; only if they properly understand can they be supportive of remedies (and investments in them). One of the current challenges is that many do not understand security, at all levels. You will also witness an interesting set of observations about the connotations of ‘security’ on the one hand and ‘hacker’ on the other.
Sarb Sembhi reminds us of how the physical and cyber domains started to converge, as CCTV started to appear on networks, that was some time ago yet there remains a lack of understanding between the two worlds. He highlights many reasons why they need to work together; attackers don’t work separately so separated security makes no sense. He underlines the need to educate end-users, engaging them meaningfully is crucial. He is critical of bland statements that security (of all types) is everyone’s responsibility without explaining what that means. In the worlds of smart buildings where he operates he has worked with colleagues to produce guidance that is geared to making sense to different stakeholders. He also notes that he is working to reclaim the meaning of ‘smart’ (which has been used with abandonment and too often inappropriately) to include the understanding that if it is not secure then it is not smart; this has been missed in the past.
At the end of the webinar you will hear comments about the important and dynamic role of physical security professionals; concern they are becoming redundant in the new highly technical world seem misplaced. Indeed, the range of skills required to be good at security are diverse and getting things wrong is serious. When we talk about the security world needing to speak with one voice, we don’t just mean physical on the one hand and cyber on the other, we should mean all physical and all cyber, now that is a challenge.
6th August 2020