The organic problem that causes most cyber-security breaches

Over the last 30 years the internet has grown from being a novelty to a necessity. As a result more and more business and personal data are available at the touch of a button.

This convenience alongside growing legislation has meant an increase in cyber security and data breaches making the headlines.

However, what’s the biggest security risk?

Josh Hickling from Pentest People gave us the answer – people – during a roundtable discussion on cyber security; held in partnership with global law firm CMS.

Josh whose day job is to conduct penetration testing on websites and apps for clients, said he saw, “similar mistakes time and time again”. Common errors he highlighted included app misconfiguration, which demonstrated a lack of understanding of the threat.

Ian Mann, CEO of ECSC a cyber security firm based in Bradford with 25 years of experience, picked up the thread of people. He claimed the lack of understanding of the threat meant that businesses were leaving themselves open to breaches. “In 20 years of incident response we never met a single incident that wasn’t preventable”, he stated. “The idea that hackers are clever, we don’t see it”, he continued, “people make mistakes and hackers exploit it and what they [hackers] do is generally pretty simple.”

One common cyber security breach identified, which according to Amit Tyagi, senior associate at CMS, he sees cases of four to five times a week, was compromised business email. He commented, “these are typically the result of human error which can be easily prevented via technical or training situations.”

He added that although the systems and software which are common causes of issues have now improved their default configurations, errors still occur. Mr Mann added, “regulations state that outsource providers have to provide security commensurate to risk, not what a user is stupid enough to click on.”

Mr Tyagi added that the language of law and in this case GDPR and the approach of the ICO is that some breaches are not preventable. This is based on what the law deems “state of the art” – although the term is not specifically defined.

Melanie Oldham, chair of the Yorkshire cyber security cluster added that business funding is being put into the wrong area and therefore not addressing the issue. She said, “Literally about 1% of budget is spent on education, awareness and changing people, with the rest going on technology. This means we’ve got this false sense of security technology when we all know it’s people, the smoke and mirrors that can be created by the industry because people don’t understand it so therefore they can sell anything.”

Following Melanie, Jordan Wilson, managing director of marketing agency Mount Digital highlighted how a marketing function can often be a weak cyber security link. He said: “As marketeers we’re always looking for the next thing that’s going to give us data and tracking to show how our campaigns work. Unfortunately installing a little bit of third party code to a website can open a raft of different issues.”

Providing the example of using hotjar – a piece of code for tracking website usage. His client’s cyber security team stopped it being installed due to the holes within the code. It took them six months of working with hotjar to get them to reconfigure the system. He added: “that could have been a split second install for most clients.”

Simon Kenworthy, chief technical officer and founder of Cloud Kickers, countered the opinion that people were the problem. He stated: “I don’t think, if the technology issues and the delivery issues are not completely transformed from where they are today; I don’t think people and awareness is going to solve the problem.”

Identifying the vulnerabilities of technology, Andrew Chilvers from MAP Solutions picked up from Simon saying: “Speaking to someone from the national cyber security centre, he highlighted how the offerings on the ‘dark web’ mean anyone can get access to hacking tools or services which are guaranteed 24/7.”

The results of these human errors can be quite catastrophic, not simply from an operational and reputation point of view but as Chris Wilson from CMS added: “Not only are there big fines as a result of the ICO and regulatory liabilities but also civil liabilities which could easily match the figures.”

Chris concluded however that although the main cause for data breaches may be a person, it is usually the employer that is liable for all breaches as it is the data controller. This includes potentially being liable for breaches as the result of deliberate or malicious behaviour by an employee due to the rules of vicarious liability. When asked how a businesses can prepare for such unforeseen issues Chris explained: “The Courts have recognised the difficulty in preventing these unforeseeable deliberate acts by employees and can only suggest that employers take out insurance against such risks.”

Click here to sign up to receive our new South West business news...
Close