Last week saw the GSMA’s first Mobile 360: Privacy & Security event take place, which aimed to address some of the issues affecting businesses as they become more digitised. As well as being a beautiful city The Hague has been developing a strong ecosystem in digital security from academic, government and business perspectives so it was a natural host for the event. We were fortunate to gain participation from a huge diversity of speakers – not only from all parts of the digital security and telecoms industries but from the worlds of finance, law, automotive, PR, healthcare, government, military, hackers and more.
It made for a really stimulating couple of days; here are just a few topics and observations that stood out from a personal perspective.
1) Fundamentally, it’s not about the technology. The critical elements are the people and the money. Phishing and ransomware are becoming more common simply because they are cheap, straightforward and can generate good returns by preying upon people’s habits and thought processes. Strikingly, when it was pointed out that CEOs and General Counsels are some of the most easily persuaded to open such emails due to the pressures of their work we had a spontaneous admission from a CEO in the room that this had happened to him… and that in his case it had persuaded him to invest in security in a way that the raw business case had not.
Also, while it was possible to hack mobile phones and tablets the economics still weighted attacks heavily towards laptops and PCs, where Windows vulnerabilities were relatively well understood and there was scale – unlike the fragmented Android ecosystem.
While the conventional wisdom in the show was that people are the easiest thing to ‘hack’, ex-military commanders at AMDP showed a workshop how, with the right forms of leadership and training, they could be made into a company’s strongest point. Meanwhile ex-hacker Karsten Nohl, CISO at Reliance Jio, described his work to shift the IT organisation mindset from one of ‘stopping people from doing bad things’ to helping them accomplish what they need to do with a greater understanding of the risks attendant upon those activities.
2) Privacy was a contentious issue throughout the event. Rimma Perelmuter of the Mobile Ecosystem Forum highlighted MEF’s 2016 Consumer Trust Survey results showing the potential business opportunities inherent in adopting a best practice approach to data collection, and even the business potential for applications in cutting back on the data they request from customers. Almost half (47 per cent) said they would pay extra for apps which guaranteed the data collected would not be shared with third parties, with more than one in six (17 per cent) willing to pay a premium of more than 10%. There are good reasons to share data, as ex-USAF general Matt Anderer explained, such as to support your personal security, avoid irrelevant adverts or other benefits. The problem has been a historical lack of transparency over how that personal information is then used and safeguarded by different organisations, leading to a lack of trust.
Associated with this was concern over how privacy and data management should work in a global framework. While companies, internet services, finance and hacking are global phenomena, legislation and regulation remain national, unaligned and often counterproductive to the security or privacy they ostensibly aim to protect. With laws being created rapidly it leaves companies challenged in how they determine what data they need to hold, how and in what format in case changing regulations make carefully built-up databases obsolete or unusable, as Dr Ulf Gartzke of Spitzberg partners pointed out.
One example of pioneering legislation was given by Wilbert Tomesen of the Dutch Data Protection Authority. Since January the law in The Netherlands has required companies to admit any data breaches. In the first 130 days they have received over 15,000 notifications… which seems suspiciously conservative not only to the Commission but also to some delegates, who observed that most companies experience some sort of data breach every week, though very few are significant.
Perhaps most challenging was Feridun Aktas of Turkcell who brought up echoes of the post-privacy movement when he proposed that, thanks to both hacking and modern data aggregation and analysis techniques, there is no such thing as private data any more; only accurate data and useful data. Which might explain why, despite the business opportunities inherent in providing services around privacy, the model has not become more prevalent.
3) So, with the understanding that companies will inevitably face breaches and hacks, what can they do about it? Quite a lot, as it turns out.
– First, simply adopting a different approach to your own protection can help. As Wendy Cheshire of Control Risks observed, an ‘attacker mindset’ is key – don’t just assume you know the risks and attacks, or how to respond to them. This is where pen testing/ethical hacking and bug bounties can come in useful.
– Resilience is becoming increasingly critical; that is, the ability to encounter a hack or leak and still function as a business. A part of this lies in simply the ability to identify and contain attacks or even to predict them. Companies like Darktrace and Lookout are starting to use machine learning and complex maths to flag up unusual activity in real time – and, more importantly, the kind of activity that is likely to be harmful to the business – and react. Beyond the technology, though, new forms of risk management/governance are being developed by organisations like TNO to cope with the realities of today’s highly-permeable enterprises that depend on a multitude of third parties, contractors, partners etc in order to function.
– Preparation is everything. When companies experience a breach, the speed and manner of response can massively affect share price, public sympathy/response, regulatory penalties etc. Especially in an era when company valuations can depend on the data they hold rather than their revenues, a bad response doesn’t just affect the share price in the short term but can easily echo on for 6 months. Companies need to have a plan in place so that people know who needs to respond, how they’re going to do it, where responsibilities lie, etc – speed and clarity of response are essential, as both BAE Systems and Deutsche Bank pointed out. It’s not something for just one stakeholder can manage but the size of the team is crucial – too big makes for slow responses and, as a result, a lack of credibility.
This is only a tiny fragment of what was discussed by around 60 speakers in over 20 hours of content. This post could equally have been on access and authentication methods; the need for, and development of, systemic security across different physical and software layers in IoT; issues around data hosting and preventing unlawful intercept; regulations such as the GDPR; physical hacking (As hacker Chris Roberts pointed out, no digital security is useful if somebody can walk off with the servers you keep your data on); the hackathon and startups showcasing at the event; and much more.