CIOs can never declare victory in the IT security war. But they can avoid defeat by promoting a vigorous culture of prevention and communication, through which IT tools are best able to meet new challenges. This was the broad conclusion of a recent cybersecurity round table featuring local industry players organised by Dimension Data.

By Stephen Evans

“There is a problem in Luxembourg business culture because too many take a preventative stance,” noted Grégory Blachut Senior Manager Forensic Technology Solutions of PwC Luxembourg. “CEOs think that if they have a strong firewall and expensive anti-virus tools then they are safe, but it is much more complex than that,” he added. Phillipe Huart Operational IT Security Manager for Indosuez Wealth Mangement (Europe) agreed: “There is no silver bullet, so different tools and approaches are needed.”

Threat levels higher than ever

Participants agreed that threat levels have never been higher. Frédéric Lavend’Homme, Business Development Manager for the BU Security with Dimension Data described how the industry is confronting a fourth generation of online threats. As well as worms and viruses, though spyware and the latest Advanced Persistent Threats (APT), “we are moving into the realm of an increased attack surface driven by mobility and cloud computing,” he said. “Defence against these attacks requires traditional tools and techniques, coupled with new approaches using sophisticated intelligence gathering and analytics tools,” he added.

Not only are there more threats, but there are new reasons to want to resist attacks. As well as the multiple negative consequences of espionage, and the possibility of reputational damage resulting from leaks and theft, we have new EU law on data protection. While this legal dimension is not new for the likes of medical practitioners and Luxembourg banks, this change will make privacy a statutory concern for every organisation that collects personal information.

No one-shot solution

“I am often shocked that the perception of APT is like we see on the TV, with high skill hackers working away in a bunker, but it’s just not the case,” commented Frederik Dohen, Luxembourg territory manager of software and cloud security firm Trend Micro. “Most often hacking it is about exploiting simple persistent weakness, many of which have existed for months,” he said. He recommended the creation of a series of defensive measures, driven by solid communication and awareness throughout an organisation. “Often the information about an attack is known, but this is not communicated or acted upon in real time,” Mr Dohen added.

Mr Huart suggested that “application white lists” might be the most effective tool over the medium term for ensuring that only allowed applications are executed, denying all unknown executable files by default. Mr Lavend’Homme agreed that they can be useful as could employee and partner white lists, but that they are not the complete solution. “The CEO would be white listed, but they as much as anyone could be infected or liable to making an error that compromises security,” he said. There was consensus that white lists can limit the scope for attack and thus the range of vulnerability, but that this should not breed a culture of complacency. “The best attacks are by fake users that the system recognises as legitimate,” Mr Lavend’Homme added.

Human-centred defence

“We have many levels at which we monitor the situation both locally and at our Swiss headquarters,” noted Jürgen Blum, Security Officer with the private bank J. Safra Sarasin. “This features an incident response unit and forums for conducting post mortems, and knowledge is shared throughout our group,” he added. Mr Dohen saluted this approach which is gaining currency in Luxembourg, while warning that too many still have a passive approach. “An attack might occur, but some CIOs can then think that once it is repelled they are OK and can wait to implement a comprehensive solution,” he said. Not only does this leave systems open to more subtle attacks in the intervening period, but sometimes fixes are put off indefinitely.

All agreed that security needs to be at the heart of business processes to be most effective. A consultant suggested that Luxembourg CEOs were more engaged than ever with this question, but he suggested that greater regulation or the decision to buy big, expensive tools could create a false sense of security that might distract attention. While tools are needed, staff across the organisation being vigilant and using common sense are also key components. To help, an ISO norm in application security has been created. This includes tests of the effectiveness of how the technical infrastructure works within the organisation.

All participants agreed that the cost of prevention and detection is less than the cost of a long term breach. After all, the worst case scenario sees data leaks threatening an organisation’s existence. All enterprises that use the internet are at risk, but there is no reason why they can’t stay ahead of the hacker in the never-ending race for data security.

If you would like to participate in Dimension Data’s regular discussion forums on IT security, please contact Frédéric Lavend’Homme, IT Security Unit Manager, Dimension Data Luxembourg PSF – frederic.lavendhomme@dimensiondata.com