Cyber security – of witchcraft, ostriches and hammers…

Cyber security - of witchcraft, ostriches and hammers
By Paul Prior, Senior Vice President Client Engagement


Information Security is complex. Understanding risk and implementing appropriate mitigating controls, be they technical or otherwise, is a challenge for organisations of any size. There is no getting away from that, but witchcraft?


A recent article in The Register was published with the wonderful sub-heading of “It’s not Advanced Persistent Threats, it’s Adequate Pernicious Toe-rags”. The article referred to the UK GCHQ’s National Cyber Security Centre Chief Technical Director Dr. Ian Levy’s comments at the Enigma 2017 conference regarding the propagation of fear, uncertainty and doubt by security software vendors.


“We are allowing massively incentivised companies to define the public perception of the problem,” he said.


“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”


Is this perception of “hacking” as a dark art due to the fact that those muggles that aren’t cybersecurity wizards are, as Dr. Levy suggested, constantly being told they are “too stupid to understand”. Or, because, like the much-maligned ostrich, they prefer to bury their heads in the sand when it comes to information security?


If you believe that it is fear that drives the unjustly slandered ostrich to bury its head (which it doesn’t), then this view of the murky world of hackers is hardly surprising. People fear what they do not understand. The more we complicate the problem the less engagement we will get regarding potential solutions.


The article went on to say: “Dr. Levy maintained that the majority of successful cyberattacks and hacks are not that sophisticated, still using rudimentary – but reliable – tactics such as SQL injections or email phishing to infect computers.” If this is true, then an extraordinarily shocking number of businesses are simply not even getting the basics right.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


Medieval witchcraft

One doesn’t have to look far to find an analyst, technology or consultancy firms’ survey results in which X % of respondents indicate that they don’t know where their sensitive data is, they do not enforce controls, they have suffered a breach, or didn’t spend enough on security in the past.


The fact is, X is invariably a significant proportion of those surveyed. So, assuming those conducting this research aren’t all dabbling in the same medieval witchcraft (to use Dr. Levy’s term) as the aforementioned security vendors, then in broad terms something is fundamentally wrong with the state of information security in the world.


Disconcertingly, if you look at the profile of respondents to this type of survey, in many cases they have job titles that include words like security, technology, risk, or compliance. I would like to believe that these professional men and women are not predisposed to aping the previously mentioned and falsely attributed ostrich behaviour. Why then are so many attacks still exploiting basic vulnerabilities? One might reasonably assume that budget constraints is the most common reason cited for the deficiencies admitted to.


It was however a social media comment that, brought this issue back home to the payments industry and prompted me to write this post. The particular comment was in response to a generic “why is security not being addressed?” call for comment among security professionals. The comment revisited the oft quoted anecdotal maxim attributed to Home Depot in response to their data breach – “We sell hammers…” Yes, but selling hammers requires protecting the people, data and infrastructure essential to supporting the business.


There has be a point from which businesses recognise that in order to sell hammers they have to take responsibility for that protection. I think so. I would argue it is from day 1.


What then of smaller organisations, those not large enough to be capable of supporting dedicated support IT teams never mind a Chief Information Security Officer?


The level of awareness and understanding among businesses

Despite the valiant efforts of the PCI Security Standards Council and in particular the Small Merchant Task Force (which includes our very own Natasja Bolton) the level of awareness and understanding about information security is quite obviously well below what might be considered a reasonable expectation particularly among smaller businesses.


Granted, many small businesses do not have the budget to implement enterprise grade security systems but most of them do not even understand what information assets they have. They don’t understand the value of their information assets or why they need to be protected. How to protect these assets and what a reasonable budget for risk mitigation might be isn’t considered by smaller businesses. Time and again we hear through our support desk: “I don’t understand”, “why do I have to do this… again?”, “why is this my problem? I sell hammers…”


Acquirers arguably provide a vital service to a vast number of small businesses for whom the ability to accept cards is an absolute necessity (you might sell hammers, but you’ll undoubtedly sell fewer if you can’t accept cards!). The fact that this process is reliant on valuable and sensitive data means that acquirers are in an exceptional position to be able to impact on the security awareness levels across small merchant businesses in ways that many others simply are not.


If you are a regular reader of our newsletter or our blog, you will know that we advocate an approach to PCI DSS compliance that emphasises communication, education and awareness. Data security over compliance enforcement but why stop there.


It is in everyone’s best interests to ensure small businesses continue to operate and to thrive, it is also incumbent on vendors, service providers and acquirers to make it as easy as possible for these businesses to operate in as secure a manner as possible.


Hyperbole or not, sophisticated or simple a real threat exists with real consequences, and where a problem exists there is an opportunity to help. And so, I leave you with a couple of question to ponder…


What are we doing to educate our customers and to demystify information security and how are we helping them with the basics, the simple things, to defend themselves against these adequate pernicious toe-rags?


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below