We use cookies to improve your online experience. Full details about our use of cookies can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.

Allow Cookies
Disallow Cookies

Spring SASIG 2014 – key highlights and thoughts

Highlights of the Security Awareness Special Interest Group (SASIG) Spring overview: 9th June 2014: "Cybersecurity and the Insider Threat"


"“By far the most useful security event I have attended this year.” "


"“SASIG is invaluable as it provides education, networking and collaboration in an open forum.” "


" “SASIG has done it again - insightful, relevant and invaluable as always. We need more!” "


" “This was my first SASIG experience and I am already looking forward to my next. "


The Security Awareness Special Interest Group (SASIG) was proud to celebrate its 10th anniversary at the group’s spring meeting, hosted by Deloitte in New Street Square on 9th June. It was a pleasure to see such a diverse range of companies represented and to listen to the many and varied opinions raised. There was a real buzz around the event and, with a record number of guests in attendance it was a fitting day to celebrate 10 years of SASIG.


The event was opened by Martin Smith, Chairman and Founder of The SASIG and The Security Company (International) Ltd. He began proceedings by reinforcing the need to finally get to grips with the ‘Insider Threat’. An audience of more than 170 senior security executives from both the public and private sectors took part in the discussions during the day, giving their views about how they are addressing the human factor in cybersecurity.


Mike Maddison, Partner, Security and Testing Lead, Deloitte, opened the discussions with his presentation “Bringing the Insider Threat to life”. He promoted the message that dangerous behaviour and security practices are usually ingrained in people and therefore they find it difficult to adjust. It was largely agreed that in order to change behaviour, organisations must first identify where their current security culture originated from. He also touched on how companies need to recognise their role in helping staff to understand what to do and how to do it in regard to security behaviour.


Mike explained that to create a culture of security awareness within an organisation, the root causes need to be tackled. He believes that without a layered mitigation approach, it will be difficult to reduce the risk of an insider threat.


Christopher Graham, UK Information Commissioner and Vice-Chair EU Article 29 Working Party, Information Commissioner’s Office offered the view of the Regulator on Cybersecurity and Data Protection.


The Commissioner gave an open and honest account of his views on cybersecurity and the role of organisations in protecting information. He was able to give a valuable insight into his world, due to the confidential and secure environment SASIG provides, before taking a number of questions from the floor.


For more information on the role of the Information Commissioner’s Office and Data Protection legislation, you can visit their website at http://ico.org.uk/


Barbara Mellish, Director of Payments Integrity & Security, Payments Council, shared with SASIG a view of the ‘Insider Threat’ from the viewpoint of the financial services sector. She focussed on how it has long been an issue for financial institutions to contend with and how greed, privileged access and weak governance all have their part to play.


Barbara posed the question: “with our increasing ability to connect and the perpetual flow of new cyber risks, are we sufficiently equipped to deal with such threats?” Responses from the auditorium made it clear that attendees believed the answer to this question was ‘no’.


Vanessa N., Director, Centre for the Protection of National Infrastructure (CPNI), talked about the range of threats to the UK, such as national security, terrorism and espionage, which have caused concern for decades. She discussed how insiders, and cyber insiders in particular, represent a risk which remains generally invisible to organisations at board level. Yet the consequences of such inside damage could be a direct hit to the bottom line, as well as to corporate reputation.


Vanessa reinforced the message that cyber insiders are not going to go away, and that protective security has to be an all-embracing portfolio of measures that effectively address and manages people-risk.


Martin Smith, Founder and Chairman, The Security Company (International) Limited and The Security Awareness Special Interest Group, started discussions with a sobering thought; that the vast majority of breaches and security events occur at the most basic levels of our defences.


It was agreed that most attacks succeed by subverting physical security, by exploiting sloppy housekeeping, errors in system operations and patching, and by directly targeting people. Martin emphasised that it is the “Mark 1 human being” that remains the greatest and continuing weakness in the cybersecurity regime. But at the same time it can be our greatest supporter. He then suggested it is the breach of trust that we must fear the most, not the breach of security.


Martin rounded up by explaining that a united and holistic approach is required across the security industry, which recognises the role of both people and technology in a company’s defences. Delegates agreed that you cannot have one without the other, and that both have a vital part to play. Martin spoke about how it is through awareness and education that this can be achieved. By alerting employees to the risks and ensuring they take responsibility for reporting suspicious activity, they will bridge the gap that technology cannot fill.


Jonathan S., Head, Personal Security, Centre for the Protection of National Infrastructure (CPNI), began by reminding the audience that betrayal by those we trust is nothing new. He suggested that as technology advances, the ability of employees to inflict damage on systems and processes has been made easier and organisations have been ill equipped to manage these new risks.


Reflecting on the recent Snowden disclosures as an example, Jonathan provided an overview of what we know about malicious insiders. It was a culmination of three key factors that provided Snowden with an opportunity: inadequate controls, absence of management and a poor security culture.


Sir Edmund Burton, Chairman, IAAC, offered an approach to realising the objectives set out in the United Kingdom's security strategies. He spoke about the importance of developing an effective methodology to ‘partnering’ and information sharing, in order to build and sustain early and continuing operational and business benefits.


Jonathan Lloyd White, Director Security & Information, HMRC and Head of Profession for Security, UK Government, shared his personal perspective about the importance of strong leadership in security - posing the question: “what does it mean to be a leader in the security profession?”


Discussing the challenges he faces as Director of Security for HM Revenue and Customs, Jonathan spoke about the importance of leading upwards and using policing as a last resort. The dilemma of self-reporting was discussed during the presentation, as were the difficulties faced by an organisation trying to balance bureaucratic control with personal judgement.


Gary Rayment, Head of Global Governance, Technology Risk Management, Credit Suisse, focussed on the value of employing a holistic IT Security Management Programme. He discussed how this approach allows an organisation to act on growing threat levels and changes in business, technology, operating and regulatory environments.


Alex Chapman, Senior Consultant, Context IS, addressed the anatomy of targeted attacks, which use social engineering techniques to gain access to digital assets. The attacks covered ranged from easily-detected mass phishing campaigns to more targeted, tailored and risky social engineering attacks.


Alex explained that three key controls can be put in place to help organisations better defend themselves against current and future attacks:


  • External / gateway controls: these include email blocking, attachment blocking and verification tools.
  • Personnel controls: these include security awareness training to spot attacks and escalate suspicious emails.
  • Workstation / internal controls: these include patch management, application whitelisting and breach detection.


David Emm, Senior Security Researcher, Kaspersky Lab, talked through the ways attackers seek to manipulate humans when launching targeted attacks. Taking a look at the random, speculative attacks that dominate the threat landscape, David discussed how even though such attacks can be highly complex and use sophisticated techniques, they often start by ‘hacking the human’.


David went on to discuss issues around the huge volume of information shared online, and how the growing use of social media in business has undoubtedly helped to fuel such attacks.


Rona Beattie, Professor of Human Resource Development, Glasgow Caledonian University and Dr David BaMaung, Glasgow Caledonian University ended the day with their discussions on the role of HR in organisational security. They considered the potential for HR to play a key role in countering such insider threats and the dangers of the current lack of understanding and lack of training for HR staff.


They went on to discuss the partnership between Glasgow Caledonian University and Police Scotland, which aims to identify the gaps in security awareness and knowledge within the HR function. Rona and David emphasised the importance of developing an academic qualification for HR and other professionals. This would provide awareness training and education to combat the potential for insider attacks in organisations.