Payments, Privacy and Vendor Management - Global Best Practices
This is the perspective of Adrian Davis, a senior research consultant with the UK-based Information Security Forum.
In an exclusive interview, Davis discusses:
Davis heads the Leadership and Management group within the Research and Services Team of the Information Security Forum, responsible for delivering client-facing projects. His team covers topics such as the role and effectiveness of information security; the role and skills of information security professionals from junior analyst to the Chief Information Security Officer and Chief Security Officer; managing and assessing information security in third parties; assessing the possible near-term threats to organizations; and cloud computing.
His prior experience includes international project management, the creation and implementation of project and program offices, risk management and strategy formulation.
Davis has chaired the Marcus Evans SecurIT event for the last two years (2008 and 2009) and is a regular speaker at major conferences, including RSA and RSA Europe.
TOM FIELD: Let's talk about global security concerns today.
Hi, this is Tom Field, Editorial Director with Information Security Media Group, and I am pleased to be speaking with Adrian Davis, a Senior Research Consultant with the Information Security Forum, which is based in the UK.
Adrian, thanks so much for joining me.
ADRIAN DAVIS: It's a real pleasure. Hi, Tom.
FIELD: Adrian, it would be interesting for comparison sake because here in the US we find organizations are very concerned about fraud these days and cybersecurity. From your station in the UK, what do you find to be the top security concerns that are on your mind now?
DAVIS: One of the big things that comes through is really the threat of crimeware as a service, which takes in the fraud. This is where people can buy tailor-made malware to attack a bank or to attack even an individual now, and that malware is well written, it is well supported; some of them offer 24/7/365 telephone support. And they are not often caught by most of the available anti-malware products we have like the antivirus software or firewalls or whatever. That is a big concern over here, and obviously fraud is part of that with phishing.
And that leads us nicely on to the next big problem, which of course is malware embedded in websites; the sort of click-through problem that we are seeing now. I think one of the other things associated with links and malware is of course social networking. There is a big debate about should you allow Facebook, should you block it, should you allow this, should you allow that. At the end of the day, a lot of this is a business decision. If the business wants to use Facebook, we in information security have to carry on and use it, to be honest, and we have to make sure that people use it in a secure manner.
Now there are other things that I think are of general concern, things such as application development and secure coding and the rise of the app. You can now get, I think, tens if not hundreds of thousands of applications for your iPhone or your Smart Phone, and these devices are now increasingly being used to interact with corporate systems. In fact, I think you can buy SAP for mobile, and there is a big problem here about data leakage, data loss if the device gets stolen. And of course they may provide a route for hackers or others parties to get into your corporate systems.
So, I think a lot of the threats are all sort of bound up with each other these day,s and they apply to both banks and pharmaceutical houses, as well as government and states, etcetera because we are all now depending so much more on IP enabled devices.
FIELD: Well, Adrian, you anticipated my next question, which was what are the biggest threats to public and private organizations? So, let me follow up with you and ask, how are you seeing organizations respond to all of these different threats from malware to social networking, to even just the insider threat, which we certainly have seen in the past year or so?
DAVIS: I think some organizations are coping better than others, and I think that is a general comment globally, not just within the ISF membership. A lot of it boils down to how security is perceived. If security is there to help business processes run more securely, run better, then I think a lot of time organizations who have that view are faring better because their underlying processes are robust enough to, if you like, accept and deal with the risks that I have mentioned and you have mentioned as well, Tom.
Other organizations where their security job is to stop everything and block everything, I think they are struggling now because the tide is too great. You cannot now stop and investigate every email, every packet, every message that comes through your corporate network because the volume is just far too big, and any system that can do any of this is going to slow down the transmission rates, which these days people need fast access on the move or when they are watching video or taking part in a webcast.
So, I think the responses actually are much more driven by how security is embedded in your organization. And the other thing that really matters is getting the basics right. It is amazing to me that people still cannot patch critical systems quickly, because very often putting a patch in place is one of the best mechanisms for stopping malware. And the other big one, of course, is handling movers, joiners, leavers -- access management. Basics need to be done well, and then you need to start working on processes.
FIELD: Well, you make a good point there. Adrian, I would like to ask you about some specific areas of concern in the US and get some global perspective from you that might broaden horizons here. Payment security for one; we have talked a lot about PCI in the US over the past year or so; we have talked about the merits of chip and pin and tokenization. What can the US learn from the UK and other global examples when it comes to payment security?
DAVIS: I think a lot of the PCI DSS work has been very useful. However, I think that PCI doesn't necessarily go far enough in some ways, and in other ways I think it goes too far. It is stillï¿½I think they are still trying to strike a balance.
I use chip and pin; I have used chip and pin for years now in the UK. Does it work? Yes. Is it relatively secure? Yes. Of course it can be cracked, but it is one of those extra layers; it just raises the bar and stops what you might call easy theft.
It was interesting that when chip and pin first came in there was actually a rise in other older types of fraud, such as check fraud, as the criminals changed their MO until they realized how they could actually deal with chip and pin and how they could circumvent some of the security. You know criminals will always, always change their MO. They will always try and be half a step ahead or half a step behind.
I think chip and pin is a very good thing. I mean, I am amazed that when I go to America that I buy something on a credit card and I show the front of my credit card, and my signature isn't even checked. You know, to me that is the very basic level of security that everybody should be doing.
In terms of sort of bigger payments, I know that the Treasury is working with a number of innovators over in America to look at how they can stop sort of wire fraud and check fraud through date/time stamping. I think it is a two-way street. We can learn from some of the American experiences, and I also hope the Americans can actually learn from some of our experiences.
FIELD: Another topic for you Adrian, privacy. In the US we have got individual states that are coming up with their own privacy and data security regulations, but nothing at a federal level yet. What can we learn from your experience in the UK and elsewhere?
DAVIS: Well, I think the first thing of course is to get it pronounced right because it is privacy over here in the UK. [laughter] Joking aside this is a big deal because call it what you will, there is a different set of cultural assumptions here.
In Europe, and I am not necessarily saying in the UK at this point, in Europe there is almost a belief that an individual has the right to protect or have their data protected on their behalf by the state and by organizations, and in America, I don't think that is necessarily true. Culturally, I think Americans are much more used to sharing information, and in a way if it then gets used for something else then, yes, they get annoyed, but it is not a big problem. So I think there is a big cultural difference here, and I am not sure that that cultural difference will necessarily go away over the next say five or ten years.
The really big issue at the moment is, of course, the patchwork of legislation and regulation. As you say rightly, there are all the state laws coming through, but you go across the border and Canada has effective privacy regulations and effective privacy laws that are different from the American ones, that are different from the European Union. Within the European Union and in the UK our information laws, data privacy laws, they all differ; they are similar but they are different. And any organization that has to deal across multiple jurisdictions is going to find itself in a real problem because if you comply with one law and you set everything up to work with that law, you may be breaking another law somewhere else, and unfortunately most courts do not recognize the fact that just because you're complying with somebody's else laws means you have to break their own law, so your organization gets a bad press or a slapped wrist or a fine.
I think for me the big thing here is we need to sit down and work together on this one. I am not saying we need a global data privacy standard, but we need to understand what people are trying to achieve and then not necessarily write conflicting laws. And every jurisdiction has laws that conflict, even within itself, and I am thinking here about some of the UK laws where you can't keep data for longer than you use it, yet you have other things that say you must keep the data for seven years no matter what.
So, I think the thing to learn from Europe is: Please try and have a harmonized approach across America, and the second thing is please make sure you don't directly contradict what the public people are saying and doing.
FIELD: And when we settle all of that, we will work on the pronunciation issue.
DAVIS: Yes, exactly. We will tackle the easy things first. [laughter]
FIELD: One more for you, Adrian. I know you have got some expertise in third-party relationships, and that has been a huge concern in the US in the past few years, especially for financial institutions and government agencies, and now for healthcare organizations. What are some lessons that our organizations here can learn from others globally when it comes to third-party relationships?
DAVIS: I think third party, it is the big coming issue. Everybody, especially from an information security perspective globally, is struggling because although we have some initiatives, and I know that BITS are active in America, and we have the ISF now looking at third-party standards, but what we don't have is something that everybody can use and trust.
One of the key things, of course, is if you buy a service from a third party, then they are going to naturally tell you they are going to do everything you want, and of course they do it well, but you can't necessarily prove it. Unfortunately, a lot of problems that we have seen recently for organizations have been caused by failures of security in their third parties. Consumers do not blame outsourced organizations. If my bank loses my bank details sorry, if an outsourcer loses my bank details while it is working for my bank, I don't blame the outsourcer; I blame my bank.
So there are a lot of things going on here, and what we all need to do is try and see if there are a standard set of guidelines or policies or procedures or whatever you want to call them that we can work with the vendor, the outsourcing community who provides us with our services, so that everybody has a baseline of security that we can check on a regular basis. It is costing us money because we as outsourcers have to go an audit all our third parties, and it is costing our third parties money because they have to support our audit,s and they get audited everyday. It is not a satisfactory position to be in.
FIELD: So, we have talked about a number of issues here, payment security, privacy (as you say), third party relationships. If you were to advise large organizations today to improve their information security policies globally, where would you start in giving them that advice?
DAVIS: I think my first advice is: Get your own house in order. Get the basics right, and I mean the basics. As I said before, patching, identity and access management. It doesn't mean go out and buy a big system; it just means to make sure you patch and make sure you know whether all of your dormant accounts really are dormant. Make sure if people leave you can shut down all of their access quickly. It doesn't necessarily mean you have to go out and buy a big system, but it means that you have control over that process and you know what is going on.
Once you have got the basics right -- and let's face it they are not glamorous, they don't earn the big bucks, they don't have big boxes that go ping -- but then is the time to start investing in some of the newer technologies.
The other piece of advice I would give is accept your organization is already in the cloud. It is using Facebook, it's using cloud providers, it's moving its data around, and there is nothing that you can do to turn that tide back. What you have to do is be prepared and be able to help your organization use those securely and deliver business benefit from them. So at the end of the day, that is what information security is here to do is to help our businesses work better, work more securely and get better profits.
FIELD: Adrian, very good. I appreciate your time and your insight today. Thank you so much.
DAVIS: It has been a real pleasure, Tom. Thank you very much.
FIELD: We have been talking about global information security. We have been talking with Adrian Davis with the Information Security Forum. For Information Security Media Group, I'm Tom Field. Thank you very much.