The UK Government has today published a rather interesting report into the costs of cyber-crime. There are some good statistics in it (these exclude copyright theft such as peer-to-peer sharing):

-      The cost to UK industry is £21B annually, out of a total UK cost of £27B.

-      The largest costs are for Intellectual Property Theft and Espionage at £9B and £7B respectively.

The more detailed IP theft numbers are worth a closer look – they show the sectors with the greatest costs are the IP-rich ones: Biotech & Pharmaceuticals, Electronics, IT and Chemicals, all at over £1B per annum. Obvious when you think about it, but a very different set of targets to the financial services ones we traditionally think about.

The full report is only 8 pages and is worth a look – it’s available at http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime.

Lucy (the small/medium business owner/director): So how should I go about protecting my data and that of my customers? (subtext:  he’s going to tell them I need the new SuperSecure MegaAntiBadGuy 35Function HyperIntegrated AllPurpose Security Widget V2.1.4 and that he can, of course, supply that at a spectacular price and would I like to sign here please.....)

Me: what you really need is to firstly do a risk assessment to understand what the threats to their business are, and work out strategies to mitigate these risks. And in most cases, people and processes are far more important than boxes with flashing LEDs.

Lucy: Oh, interesting. And how should I go about doing that as I’m not a security expert and neither is anyone else in the company?

Me: Well, you could consider becoming ISO27001 certified which will let you develop a Management System to systematically monitor and mitigate information security risks throughout your business.

Lucy: (with fear showing in her eyes and getting ready to run...) But that would cost me £10k’s and I’ve still got scars from the ISO audit at my last company......

Me: OK, well how about something more affordable and less of a commitment than a full ISO audit. What if we could bring in a top security expert into your business? We’ll limit the on-site part to two days as we know you are busy people. We’ll perform a full fact-find throughout your business across your processes, people, IT and comms, and then develop a set of recommended, prioritised actions which you can then implement at your own pace, as time and budget allows. It would show you how to secure your business operations, ensure you know the information security risk environment your business operates in, show how to meet your legal obligations, and allow you to demonstrate to your customers that you take your security and privacy obligations seriously. And provide a step on the path towards the management systems infrastructure a full ISO27001 implementation would provide.

Lucy: But consultancy always makes me nervous – jobs always take longer and cost more than expected.

Me: At a fixed price.

Lucy: Now you’re talking.....

Now, whether or not you need the sort of Security Operations Audit Lucy and I discussed, the morale of the tale is clear. When a security vendor tells you all about the latest widget and how it will solve all of your problems, step back and think. Do you know what the real risks to your business are? What is the real value to you of that set of PowerPoints that are close to your heart, describing how you will target your biggest competitor’s customers? If your biggest threat is that the competitor stumbles across it a week before you launched, and the cost of that to you would be £10k in lost sales, is it really worth spending £5k on infosec technology to take that from a 1% chance to a 0.01% chance?

But what about that old mailing list you have lying about on the server? It’s full of personal info about the people on it, many of whom subsequently became your clients. If that gets accidentally linked to your website (it happens, http://www.bbc.co.uk/news/technology-11425789), would your clients start wondering about your data security and become far more demanding about assurances, certifications and liabilities? Would you spend much of the next couple of months in deep conversation with the Information Commissioner’s Office about how you will ensure you don’t breach the Data Protection Act again? Add in a couple of defecting clients and the lost business their word-of-mouth might bring and how much does all that come to? And maybe all it needed is a data retention policy or a firewall configuration to avoid it.

So work out where the real threats are, then work out how to counter them, and only then start talking with the security vendors.

And if you want help, consider our Security Operations Audit, which will set you on the right path for only £3,750.

The proposals are out for consultation now, with a deadline of 15^th January 2011 for comments to be received.

I was speaking with one (non-UK) EU Data Protection Commissioner last week, and his feelings were that this data breach notification obligation was very likely to make it into law. Allowing time for consultation and EU processes would mean a new EU Directive in 2012 with likely 18 months to implement at national level.

The impact of this, of course, would be to increase the consequential cost of any data breaches – more than likely raising the costs of a data breach in the EU to similar levels as the US, over $200 per lost record according to Ponemon. With an average data breach exposing 10,000’s of records, that makes the £500k ICO fines look like a rather small component of the overall cost of a breach.

Brian

Well, it’s finally happened. The powers the UK ICO acquired back in April 2010 to levy large fines of up to £500k on organisations who are being careless with your data have finally been used, with Hertfordshire County Council receiving a record £100k fine for faxing sensitive childcare litigation information to the wrong place. Twice. In two weeks. And a £60k fine for employment services company A4e who lost an unencrypted laptop with 24,000 people’s details on it – not much more than the previous £50k limit, but it shows willingness to use the powers.

I’ve heard numerous commentators and corridor gossipers talking over the last few months about the ICO being unwilling to really do anything, being toothless and unwilling to actually hit anyone with their new powers, so it’s encouraging to see that they are starting to be exercised. Let’s hope that the publicity engendered encourages rather more people to think twice before sending that fax/email/CD..

It’ll also be interesting to see the results of ICO's response to the investigation involving ACS:Law and the alleged breach of the Data Protection Act whereby the names and addresses of some 5,000 Sky broadband customers ACS:Law had accused of illegally sharing pornography along with some 8,000 other alleged filesharers came to be in the public domain after ending up on ACS:Law’s website. No news yet on any outcomes on that one, but it’s interesting to note the quote by the Commissioner made shortly after the event "I can't put ACS:Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage"

Typically, once the networks have been scoped down as far as possible by network segmentation, and cardholder data removed from as many places as possible, the most challenging pieces left are those to meet Requirements 10 and 11 around Log Management and Intrusion Detection.

The costs of these elements built using traditional solutions would be made up of three upfront cost elements - 1. a system for Log Management, 2. a system for Intrusion Detection (IDS), and 3. the implementation project – and two recurring cost elements – 1. the maintenance to look after the resulting infrastructure, and 2. the monitoring costs.

In every properly costed analysis we have seen, the largest component is the cost of monitoring the output of the Log and IDS systems to ensure value is extracted from collecting the information. This Security Operations Centre (SOC) team needs to include highly specialised skills, ideally available 24/7 but at least reviewing outputs on a daily basis. For a medium sized implementation, this could amount to one full time equivalent (remembering this is little more than 4 hours per day once holidays and weekends are included). Add to this the costs for the SOC team to have periodic training to maintain competence and deal with staff churn. The implementation project team costs can also spiral as problems of implementation complexity arise.

At Virtuous we are working to provide PCI compliant capabilities with as little impact as possible to an organisation’s delivery and operations. Our approach reduces or eliminates the need for a 24x7 SOC through the use of AlertLogic’s  Software as a Service (SaaS) appliance for Vulnerability Scanning, Intrusion Detection and Log Collection, storage and analysis. We even provide an IDS monitoring and Log Review service where the Alert Logic SOC team provide the 24/7/365 monitoring to meet the PCI IDS monitoring and Daily Log Reviews requirements.

The SaaS approach virtually eliminates implementation complexity, and the managed service eliminates customer monitoring and management effort. With zero CAPEX and much reduced OPEX through a monthly fee, the cost typically shows a 50-70% saving over the more typical, in-house deployments.

So come along and chat with us to hear more about how you can join the 1000 customers already saving up to 70% of the total cost of buying, building and running Log Management and Intrusion Detection systems

Well, no, not really.

There is indeed a new PCI-DSS V2.0 coming out. It’ll be published on October 28^th 2010 and will become the effective version of the standard on 1^st Jan 2011. V1.2 isn’t dead immediately, however, and will continue to be acceptable for compliance validation until 31^st December 2011.

Changes are evolutionary, rather than revolutionary.  Highlights include welcome guidance of PCI DSS compliance in a virtual environment, acknowledgement of risk-based approaches to vulnerability management, and some other clarifications on the intent of the authors. The full list is at http://www.pcisecuritystandards.org.

So what will be the impact? The devil is in the detail, but assuming no surprises, then the new version creates no new significant hurdles to overcome, addresses at least in part the use of virtual environments (although I think this one will have some way to go), and goes at least some way towards creating greater consistency between QSAs by clarification.

Given the relatively small changes involved, we would hope that the card brands and acquirers will take a fairly lenient view of anyone slow to upgrade from V1.2 compliance, especially given the various estimates going around of 80-90% of merchants not yet being compliant with any version!

So good news all round then, all that merchants need is to find enough time and budget to specify, implement, deploy and operate the monitoring systems needed to demonstrate compliance......   Easy, or at least it is if you ask us!

Brian

We also conducted a prize draw for a bottle of Champagne. The lucky winner was Deirdre Maguire who works for Computer Aid International. Computer Aid International  is a UK registered charity that aims to reduce poverty through providing high quality, professionally refurbished computers for reuse in education, health and not-for-profit organisations in developing countries. So far, Deidre explained, Computer Aid has provided over 160,000 PCs to where they are most needed in more than 100 countries across Africa and South America. We really like this charity and would wholeheartedly encourage you to consider them as a destination for your end-of-life equipment.

PCI London is designed specifically for professionals who are responsible for managing key functions within global and national organisations that include banks, merchants and acquirers, such as information security, IT, risk, compliance, fraud, audit, QA, policy, and governance. This community meeting brings together an exclusive audience in order to discuss the most efficient and cost effective solutions for overcoming the key security and compliance challenges faced today.

Virtuous Networking is pleased to be exhibiting at the event and look forward to discussing with customers how we can address PCI with our innovative managed services approach to meeting compliance.

PCI London is on 1st July 2010 at the Park Plaza Victoria Hotel, London, UK