Forensic specialist: ‘Security is a board matter’

Now that online attacks on specific, often senior officials in organisations are increasing, technology-based protection is no longer the definitive answer. Alertness, training and information sharing are indispensable, says US expert Laurance Dine from Verizon Enterprise Solutions. “You have to be aware of the risks and build IT security accordingly.”

What are the most salient security issues and trends?
“Our observations are fairly consistent with those of the past few years. There aren’t any dramatic new developments or any new technologies that could lead to huge problems. Having said that, there are some striking examples, such as the statistics on social engineering: phishing, e-mails to C-level directors in which CFOs are ordered by CEOs to transfer large sums of money for instance, et cetera. Verizon organises sessions with senior officials to help these people prevent problems.”

Are these sessions primarily intended for knowledge transfer and for raising awareness?
“It may not sound sexy, but that is partly what we have in mind. In the real world, you don’t leave every door unlocked either. Like in the physical world, companies and directors need to realise which doors they lock. Apart from the technological measures you can take, these are the precautions you can take, and must take, yourself.”

Are cyber crime and the prevention of cyber crime more focused on C-level directors? Less technical by nature, but intelligently responding to a specific target group or organisation?
“That’s correct.” This also means that in the security domain there is a shift of responsibilities. If security used to be on the minds of the IT department, it has become a subject that pertains to all board-level officials. All CxOs run the risk of losing their job if they don’t handle this subject adequately. So, yes, in terms of attention and responsibilities the core has shifted to a different, higher level.”

Are C-level directors dealing with this properly?
“This is a somewhat suggestive question that concerns a wide range of officials. I can’t really give an answer that covers these officials in general, but I can indicate where things sometimes go wrong, not so much in technology, but in communication and processes. On the other hand, there are more and more large organisations in various industries where this is done very well or where they are making a lot of progress in the right direction. For it has to be admitted: although it is a difficult subject, companies and boards generally take this very seriously.”

When you distinguish between the companies that are doing fine and those that are lagging behind, what does the former group do that the latter group does not do?
“The front-runners have clear procedures in place for what to do if something goes wrong: they know who has to contact who, and who is responsible for what, for instance. Besides, these procedures and plans are regularly tested, also in practice. On the other side of the spectrum, there are organisations that don’t do anything about security, but I would rather not talk about those. There is a group of companies in between that have taken the right technical measures but that don’t have any contingency plans, and the communication between their departments is insufficient.”

Is it important that somebody at the board level is responsible, like a CISO for example?
“How much importance you attach to security is primarily a business decision. There’s certainly no harm in appointing someone who is responsible, although this person’s job title is less important to me. Sure, it might be a CISO, but is could also be someone from IT, or even a CFO. What matters is what they do when a problem actually occurs. I know CISOs who don’t have a mandate, any responsibility or a budget; they only thing they do is check off the list. I also know IT managers who do everything a good CISO should do: establish structure, set up contingency procedures, put communication lines in place, and so on.”

Isn’t security for a major part the supplier’s responsibility? What does Verizon do, for example, to protect companies better against cyber risks?
“We are pleased to take responsibility for the services we provide. We know the risks, and we know exactly what we can be called to account for. And so do our customers. One of the challenges in our industry is the fact that there are misunderstandings about this; there are no provisions in the contract on this issue, for instance. Sometimes, suppliers are considered responsible for security, but actually they do little more than monitoring things. It’s also important that any problems are solved and avoided.”

Aren’t suppliers better equipped for this role than internal officials, such as CIOs and CISOs?
“The answer will differ from case to case. Generally speaking, however, a more or less specialised supplier has more comprehensive insight into the domain than an individual official who is mostly focused on a clear-cut environment. Via our networks and on the Internet, we can see things happening all over the world all the time. Additionally, we continuously respond world-wide to various forms of attack. We always share this knowledge and information with our customers. Quite frankly, even the largest companies don’t always have the people and resources available that we have.”

Which trends and developments can we expect in the next few years?
“Phishing will remain a huge issue for the time being. You can set up systems and solutions that take care of part of the danger, but as long as people can be reached by e-mail the risk will not disappear. On the technology side, developments will continue. Examples include advanced malware scanners, sandboxes, and solutions that have a finger on the pulse in an Internet of Things environment in which everything is interconnected. With respect to mobile devices, such as smartphones and tablets, we don’t see any increased threats as yet. This may change in the near future, for the number of connected devices world-wide will grow by billions.

Laurance Dine is an American expert in computer forensics. In Great Britain, where he has lived for over thirteen years now, he has been involved in more than three hundred civil and criminal investigations. The Verizon official attended more than two hundred data seizures. Earlier on, he had worked for the US Air Force for about eleven years.

By Hotze Zijlstra

Leave a Reply