Say What You See at Infosec! Have We Learnt Nothing about Information Security?

Say What You See at Infosec! Have We Learnt Nothing about Information Security?

Jason HartMay 8, 2012, 11:24 am EDT

Last night I dreamt I was back at Infosecurity 2012. Glittering stands. Shiny technology. Throngs of the great and the good in IT security. And then I woke up and remembered that two vendors really did have London double-decker buses as booths, and TV legend Roy Walker did host Catchphrase on our stand!

But seriously, while the show was great, it risked recycling the same old themes with its focus on anti-malware, intrusion detection, security monitoring among other security industry favourites. There’s so much déjà vu about the show even as it seeks to talk about what’s next. This extends to the new threat bogeymen like advanced persistent threats (APTs) which are little different to the threats of the past in their blending of criminal determination, social engineering and malware.

While there’s nothing wrong in these technologies (nor how Infosecurity functions as a forum for debate and ideas), it is becoming apparent that investing in them alone simply isn’t doing enough to prevent either high/ low level e-crime or the data protection compliancy mishaps hitting public bodies and private enterprises. For example, PWC, which has been surveying UK businesses on information security threats for many years, says that one in seven large organisations detected hackers within their systems, which is the highest level recorded since their survey started in the 1980s. Organisations also continue to find themselves contravening data protection laws with the UK ICO saying there were 730 self reported data breaches in the last financial year – but, given the reluctance of some private companies to disclose a breach immediately, this figure may be understated. And, the pressure to comply with data protection regulations is set to get tougher as disclosure requirements are extended and strengthened; and authorities like the ICO become more proactive and gain new and wider powers to investigate and fine.

We need to take stock of how IT security works and go back to fundamentals of data protection. What’s being overlooked in all the excitement about IT security is that there are two steps that any organisation can do to protect their data.

One, get rid of passwords and replace them with OTP and whatever form of robust multi-factor authentication works for your organisation.

Two, encrypt all sensitive data everywhere. And by definition sensitive is not restricted to financial details. It extends to all the data that’s valuable to you and your customers and users; and thus hugely attractive to an e-criminal and highly damaging to mislay or lose.

To be honest there’s no excuse in not taking these two steps because the technology is proven, affordable, easy to manage and scale up to do the job.

Why relearning this fundamental two step lesson is so critical is because I also fear we are on the verge of forgetting it entirely as we move into a post-PC era based on cloud and mobile computing via tablets, smart phones and other always-on anywhere connected devices.

People are, I fear, too blasé about information security risks on these new devices. And the threats are becoming reality as hackers follow the money and turn their attention to iPads and similar devices as they become popular for both personal and business activity.

So, we have to start again to address both the threats and the misconceptions that users harbour about the inherent security of these new devices. Personally I find this state of affairs astounding in that we seem to have learnt nothing. Let’s hope that we all snap out of this dream like state very quickly.