Future Watch 2: Cyber Security & Individuals
Today Chris is talking to Gemma Christie about the world’s biggest data breaches, data security at your bank, your mobile phone company, the government, and where Google is going with security.
G: In your original article, you linked to a pretty good infographic that showed the World’s Biggest Data Breaches (http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/). Some of these companies were eBay and JP Morgan. How at risk are large organizations and of course, the individuals that are subscribing to, buying from, or working with these organisations? Are they at risk?
C: I think every organisation is potentially at risk. You cannot drop the ball on cyber security. You’re only as good as your previous day’s clean bill of health. I think one of the things that a security professional taught me when I was first starting out designing systems, is that the answer from security is no. Think like security. They’re not going to let you do this, so what will they allow me to do because I need that data or that transaction to break through what is a secure area?
Security people do not like leakage. They don’t want stuff that’s their organisation’s to be taken and pushed out into the open world. You don’t want rogue users in your environment, and rogue transactions in your environment. You’ve got different types of things that you’re trying to protect, and you need different techniques and you need different types of vigilance. Be it from someone looking at a camera because you’re stopping physical intrusion, through to someone looking at trends in data performance because what you won’t see is the process that’s caused it to go rogue. But what you will see is maybe the evidence of its existence because you’re processing time is getting longer, you’ve got unused threads and you’ve got a database that shouldn’t be there.
Understanding your system and actively understanding what’s going on and being able to report with confidence, “Yeah, I know what’s going on. My data, my system, is safe and secure.” Having that process and those robust checks and balances to make sure people are doing their job and the system is working as designed are key.
G: What do you say to organisations that still haven’t put in place those secure systems?
C: Just do it, mobile phone companies do it, and governments or security organisations tend to do it as well. It’s interesting that we put our mobile phone company and our bank higher up the trust list with our personal data than we do the government.
C: These organisations are paranoid about their responsibility for your data. If they break that trust then, that’s it, it’s game over for their business.
G: Is it all mobile phone providers? Didn’t one have a big data breach fairly recently?
C: Yes it was Carphone Warehouse. The personal details of around 2 million customers were accessed and some for their credit card details. This was the biggest data breach a mobile phone company has had.
Okay, but even that biggest data breach, there was no material impact on people’s transactions or history or ability for someone to, you know, charge things to your card. In some respects, they had a separation, a good separation of data, but what was compromised was people’s user identities, so they had your password logon, your date of birth, your name and your address. In some respects, they exposed themselves to identity theft, and maybe we need to think about going forward how you prove someone is who they are. Again having that ongoing validation, there are some interesting discussions going on in the web sphere as to how that should be done, and multifactorial authentication is the buzzword.
G: Multifactorial authentication. Is that right?
C: Yeah, multifactorial authentication. Asking for more than one verifying piece of identity. You might see this already through logging in with your password and I’d send you a text message and you tell me the code that the text message has sent, so I know that that device that I sent the text message must be tethered to you, and you and the device must be together because you just inputted a circle of information that I was expecting.
G: Yeah, so most banks and the government do that, don’t they?
C: Yes, they do. One of the problems you’ve got is, with security, is that you’re now putting in something that is a validation, and it’s real-time, but it’s added to your time lag of logging on. You’ve now got a dependency on another bit of technology, so another moving part, and you’re slowing the whole thing down, you’re making my experience really poor just because I’m secure. The end user, we are often the guiltiest party in driving the industry to make things easier. We just want to log on, do our thing, and then disappear. “Don’t give me this security fluff. I know who I am. I like you, you like me, let’s just do stuff. Bye-bye.”
Banks and Cyber Security
G: Is there one company that you could pinpoint that’s doing it particularly well?
C: Good question.
G: Thanks. I’m going to ask why next.
C: Okay. I’ve got examples where it’s not done well. My bank is a really painful logging-on experience but it’s quite secure, that’s NatWest.
G: Okay. I’m Lloyds and Santander.
C: Yeah, but compared to the Nationwide, the Nationwide experience is a hell of a lot easier, but it’s notionally less secure because it hasn’t got that additionality of authentication, but it’s the same authentication once you start needing to manage the information that’s on there. There you have security on your banking app where you’ve got security to log in, and then you have additional security to make actions to that information. You know, you need that card reader to be able to say, “Yeah, I can now move money and settle that transaction”.
Again I think there’s some good balance there and a good separation of visibility and activity because it’s that activity that often causes pain. For example, good systems design may mean that an administrator can see various data, but the data is redacted. You’ve got to think about the security in the context of, what am I protecting? What’s going on?
What’s interesting, if you look at where Google is going, they are looking at multifactorial authentication based on behaviour. Recording a constant stream of activity and then going, well hold on, you’re now doing something out of kilter. Many years ago when I bought my wife’s engagement ring, this happened with my credit card. This was an anti-fraud piece where the credit card company noticed that there was this massive purchase… Because it was a big old engagement ring to keep the wife very happy. She asked for pink diamonds and I said, of course.
G: Did she get pink diamonds?
C: She got pink diamonds. Well, she got one. She got one because it was an arm and a leg and she still loves it. It was really cool because the insurance agency NatWest, phoned up and said, “Where are you?” I said, “I’m in a jeweler’s.” I said, “Can you give a code to the sales agent?” I could only be talking to the sales agent in that shop on that number for that transaction to go through.
G: How long ago was that?
C: That was … How long have we been married? 14 years, 13 years, 14?
Yeah. I think that’s it… You’ve got to look at things all round. In all honesty, in terms of security, who would you think does best? Who do you like from a security perspective?
G: Well, I suppose the only companies that I regularly deal with are Lloyd’s and Santander, I suppose they are the most prominent ones that I use. I’m slightly worried now based on what you’ve said because their authentication to get into their website is relatively easy and quick. Although, if I do want to move cash, that is done by a mobile phone. They have to phone me and I enter an authentication code.
C: Yeah. You’ve got that Belt and Braces multifactorial authentication on the impact side. Yeah, it might be really bad if I hacked into your account and I could see your account details, view your account history, and get a very rich understanding of your life.
Cyber Security and Passwords
G: One question. On my laptop, I’ve got a spreadsheet that has all of my logins, usernames, and passwords all contained in one password-protected spreadsheet. How easy is that for someone to get access to?
C: It’s easy … Unless it’s encrypted as well. If your hard drive is encrypted, they would need to know the password for your machine and then the password for that file.
As long as you haven’t printed that file off. I’d also password-protect the folder that it’s in as well.
G: That’s a good idea.
C: If someone is going to get it, they’re going to get it. All security does is add layers of time and hassle to stop someone going through the pain of getting it. The challenge you have is that your password for your one document is going to be something that is incredibly memorable because it would be the one that you don’t want to forget.
The weak link is that one password.
C: Have a think about, how can I create a password that I will always remember. The best way of doing that is to think of a story. The password is in itself, part of the story. Then you might have two completely contrasting stories for your folder and your document.
G: This is a good tip of course for everybody else who is storing personal data on their laptops and PCs.
C: Look, bottom line; if you don’t want anyone to find out about it, don’t put it near a computer. Don’t write it down. Keep it in your head and it’s your secret. As soon as it’s written down, as soon it’s there and it’s done, it’s out there.
- On multifactorial authentication: https://en.wikipedia.org/wiki/Multi-factor_authentication
- On Google 2-Step Verification: https://www.google.com/landing/2step/
Do you have concerns about your own Cyber Security? Let us know in the comments section below.