Cyber security is no longer just about financial and reputational loss

Deputy First Minister John Swinney speaking at the Holyrood Cyber Security 2017 conference - Image credit: Alistair Kerr/Holyrood

Cyber security is no longer about just financial and reputational loss, Tom Scholz, Research Vice President at Gartner, highlighted to Holyrood’s recent Cyber Security 2017 conference.

“In conventional security our objectives is what we used to refer to as the CIA model: confidentiality, integrity and availability.

"In the digital business world, increasingly, we also have to start at the element of physical safety,” he said.

RELATED CONTENT

TechUK calls for G20 governments to focus on data and cyber security

National Cyber Security Centre: ‘It’s entirely possible to build good, secure tech using an agile approach’

Philip Hammond tells business to ‘sharpen its approach’ to preventing cyber attacks, as Queen opens new cyber security centre

In a stark reminder of what could be at stake, Scholz asked delegates to imagine they were in charge of technology for a mining company.

“In a conventional environment, if our company or our enterprise or our agency gets hacked, we might lose some money, it will be embarrassing, the reputation will be damaged, but all of us will go home at night.

“But if you’re like one of my customers, if you work for one of the large mining houses…if somebody hacks into your ventilation control system and switches them off when you have 3,000 people three kilometres underground, people get hurt, or people can die.”

Similar themes were raised by TrendMicro’s Global Vice President Security Research, Rik Ferguson, as he discussed the benefits and threats of smart cities and the internet of things.

He explained: “You’ve got to think about what is the input into [the function of a smart device] and where could a hacker insert themselves into that.

“So we have to think about what are the other outcomes, how would I be able to have a parallel usage scenario or a usage scenario that doesn’t conform to the initial design.

“That’s what people mean when they say ‘think like a hacker’.”

One example he gave was Cayla, a doll that can be used by children to access the internet via voice recognition, which was recently banned in Germany after it was found that it could be accessed via Bluetooth by someone nearby and used to communicate with the child.

By 2018 there are predicted to be £3.3bn connected things in smart cities and by 2020 smart agents such as Siri, Alexa and bots could facilitate 40 per cent of interactions.

Because at present many smart devices are consumer products, it is the purchaser that is responsible for the implications of using them, but that will change, Ferguson suggested.

“When it comes to privacy…who is responsible for this security?” he asked. “Well, right now, it’s you.

“You’re the person choosing to adopt this technology and to use it, you have to take responsibility for the risks that you take to generate to yourself, your family, your business or whatever.

“But as it begins to expand out into smart towns, smart cities, smart government…you people that are responsible for the cities of the future, the services of the future, you’re going to have to recognise that you’re taking this responsibility on you.”

Deputy First Minister John Swinney and Scottish Government Chief Information Officer Anne Moises both gave updates on the Scottish Government’s work on cyber resilience at national level, particularly progress on the Scottish Government’s cyber resilience strategy, a year after its launch.

In the first year this has included setting up the National Cyber Resilience Leaders’ Board, under the chairmanship of Hugh Aitken of the CBI, and a Cyber Resilience Learning Network has been created to bring together key professionals to determine how best to embed cyber resilience into the school curriculum and teacher training.

The National Cyber Security Centre’s Deputy Director for Digital Government, Alison Whitney, said there was a “huge amount” of activity that needs to be undertaken to ensure we are a cyber-resilient country, as she outlined the structure of the new centre, which was formally opened by the Queen last month, as well as some of its key aims and its collaboration work in Scotland.

A lunchtime session provided a quick introduction to GDPR, the stringent new EU data protection legislation that comes into force in May next year.

While on the radar for many already, Napier University’s Professor Bill Buchanan noted with concern that he didn’t see as much discussion about GDPR in Scotland as in London.

But with fines of up to four per cent of turnover for serious data breaches under the legislation, financial costs as well as safety implications are clearly still on the cyber security table.