There is a perceived wisdom these days that, apart from the odd government sponsored attack, that almost all computer crime these days is financially focussed and aimed at getting hold of credit card data or bank details. While it’s true that there certainly is a lot of this about, and it has a high visibility in the security industry due to regulations such as PCI, and the banks’ intense (and necessary) focus on security, it’s not the whole story.

The UK Government has today published a rather interesting report into the costs of cyber-crime. There are some good statistics in it (these exclude copyright theft such as peer-to-peer sharing):

-      The cost to UK industry is £21B annually, out of a total UK cost of £27B.

-      The largest costs are for Intellectual Property Theft and Espionage at £9B and £7B respectively.

The more detailed IP theft numbers are worth a closer look – they show the sectors with the greatest costs are the IP-rich ones: Biotech & Pharmaceuticals, Electronics, IT and Chemicals, all at over £1B per annum. Obvious when you think about it, but a very different set of targets to the financial services ones we traditionally think about.

The full report is only 8 pages and is worth a look – it’s available at http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime.

When I get talking with people at a business function, and I describe what we do, I am often asked by those not in large corporations for advice on how they should go about securing their operation. The conversation usually goes like this:

Lucy (the small/medium business owner/director): So how should I go about protecting my data and that of my customers? (subtext:  he’s going to tell them I need the new SuperSecure MegaAntiBadGuy 35Function HyperIntegrated AllPurpose Security Widget V2.1.4 and that he can, of course, supply that at a spectacular price and would I like to sign here please.....)

Me: what you really need is to firstly do a risk assessment to understand what the threats to their business are, and work out strategies to mitigate these risks. And in most cases, people and processes are far more important than boxes with flashing LEDs.

Lucy: Oh, interesting. And how should I go about doing that as I’m not a security expert and neither is anyone else in the company?

Me: Well, you could consider becoming ISO27001 certified which will let you develop a Management System to systematically monitor and mitigate information security risks throughout your business.

Lucy: (with fear showing in her eyes and getting ready to run...) But that would cost me £10k’s and I’ve still got scars from the ISO audit at my last company......

Me: OK, well how about something more affordable and less of a commitment than a full ISO audit. What if we could bring in a top security expert into your business? We’ll limit the on-site part to two days as we know you are busy people. We’ll perform a full fact-find throughout your business across your processes, people, IT and comms, and then develop a set of recommended, prioritised actions which you can then implement at your own pace, as time and budget allows. It would show you how to secure your business operations, ensure you know the information security risk environment your business operates in, show how to meet your legal obligations, and allow you to demonstrate to your customers that you take your security and privacy obligations seriously. And provide a step on the path towards the management systems infrastructure a full ISO27001 implementation would provide.

Lucy: But consultancy always makes me nervous – jobs always take longer and cost more than expected.

Me: At a fixed price.

Lucy: Now you’re talking.....

Now, whether or not you need the sort of Security Operations Audit Lucy and I discussed, the morale of the tale is clear. When a security vendor tells you all about the latest widget and how it will solve all of your problems, step back and think. Do you know what the real risks to your business are? What is the real value to you of that set of PowerPoints that are close to your heart, describing how you will target your biggest competitor’s customers? If your biggest threat is that the competitor stumbles across it a week before you launched, and the cost of that to you would be £10k in lost sales, is it really worth spending £5k on infosec technology to take that from a 1% chance to a 0.01% chance?

But what about that old mailing list you have lying about on the server? It’s full of personal info about the people on it, many of whom subsequently became your clients. If that gets accidentally linked to your website (it happens, http://www.bbc.co.uk/news/technology-11425789), would your clients start wondering about your data security and become far more demanding about assurances, certifications and liabilities? Would you spend much of the next couple of months in deep conversation with the Information Commissioner’s Office about how you will ensure you don’t breach the Data Protection Act again? Add in a couple of defecting clients and the lost business their word-of-mouth might bring and how much does all that come to? And maybe all it needed is a data retention policy or a firewall configuration to avoid it.

So work out where the real threats are, then work out how to counter them, and only then start talking with the security vendors.

And if you want help, consider our Security Operations Audit, which will set you on the right path for only £3,750.

In an attempt to make a major upshift in EU Data Protection legislation, proposals have come out which would require any organisation losing personal data to notify those affected. Also included are a right to be ‘forgotten’ and attempts to further harmonise the requirements across different legal regimes, to make life simpler for multi-nationals.

The proposals are out for consultation now, with a deadline of 15^th January 2011 for comments to be received.

I was speaking with one (non-UK) EU Data Protection Commissioner last week, and his feelings were that this data breach notification obligation was very likely to make it into law. Allowing time for consultation and EU processes would mean a new EU Directive in 2012 with likely 18 months to implement at national level.

The impact of this, of course, would be to increase the consequential cost of any data breaches – more than likely raising the costs of a data breach in the EU to similar levels as the US, over $200 per lost record according to Ponemon. With an average data breach exposing 10,000’s of records, that makes the £500k ICO fines look like a rather small component of the overall cost of a breach.

Brian

Well, it’s finally happened. The powers the UK ICO acquired back in April 2010 to levy large fines of up to £500k on organisations who are being careless with your data have finally been used, with Hertfordshire County Council receiving a record £100k fine for faxing sensitive childcare litigation information to the wrong place. Twice. In two weeks. And a £60k fine for employment services company A4e who lost an unencrypted laptop with 24,000 people’s details on it – not much more than the previous £50k limit, but it shows willingness to use the powers.

I’ve heard numerous commentators and corridor gossipers talking over the last few months about the ICO being unwilling to really do anything, being toothless and unwilling to actually hit anyone with their new powers, so it’s encouraging to see that they are starting to be exercised. Let’s hope that the publicity engendered encourages rather more people to think twice before sending that fax/email/CD..

It’ll also be interesting to see the results of ICO's response to the investigation involving ACS:Law and the alleged breach of the Data Protection Act whereby the names and addresses of some 5,000 Sky broadband customers ACS:Law had accused of illegally sharing pornography along with some 8,000 other alleged filesharers came to be in the public domain after ending up on ACS:Law’s website. No news yet on any outcomes on that one, but it’s interesting to note the quote by the Commissioner made shortly after the event "I can't put ACS:Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage"

In my discussions with retail organisations recently I came to the conclusion that many are spending two or even three times more than they need to on PCI DSS IT Security implementations.

Typically, once the networks have been scoped down as far as possible by network segmentation, and cardholder data removed from as many places as possible, the most challenging pieces left are those to meet Requirements 10 and 11 around Log Management and Intrusion Detection.

The costs of these elements built using traditional solutions would be made up of three upfront cost elements - 1. a system for Log Management, 2. a system for Intrusion Detection (IDS), and 3. the implementation project – and two recurring cost elements – 1. the maintenance to look after the resulting infrastructure, and 2. the monitoring costs.

In every properly costed analysis we have seen, the largest component is the cost of monitoring the output of the Log and IDS systems to ensure value is extracted from collecting the information. This Security Operations Centre (SOC) team needs to include highly specialised skills, ideally available 24/7 but at least reviewing outputs on a daily basis. For a medium sized implementation, this could amount to one full time equivalent (remembering this is little more than 4 hours per day once holidays and weekends are included). Add to this the costs for the SOC team to have periodic training to maintain competence and deal with staff churn. The implementation project team costs can also spiral as problems of implementation complexity arise.

At Virtuous we are working to provide PCI compliant capabilities with as little impact as possible to an organisation’s delivery and operations. Our approach reduces or eliminates the need for a 24x7 SOC through the use of AlertLogic’s  Software as a Service (SaaS) appliance for Vulnerability Scanning, Intrusion Detection and Log Collection, storage and analysis. We even provide an IDS monitoring and Log Review service where the Alert Logic SOC team provide the 24/7/365 monitoring to meet the PCI IDS monitoring and Daily Log Reviews requirements.

The SaaS approach virtually eliminates implementation complexity, and the managed service eliminates customer monitoring and management effort. With zero CAPEX and much reduced OPEX through a monthly fee, the cost typically shows a 50-70% saving over the more typical, in-house deployments.