Knect365 is part of the Knowledge and Networking Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

Informa

Data breaches are going to increase, what are you going to do about it?

Jason Hart, Former Ethical Hacker and Wednesday morning's first speaker had endured a somewhat tumultuous journey to SuperReturn International. Flying half way around the world to join us, Jason had contended with flight delays, cancelled connections, lost luggage, and very little sleep.

Luckily, he was certainly on the ball once he got here.

As a former ethical hacker with two decades of experience in the Information Security industry, Jason Hart helps organisations stay one step ahead of advances in cyber threats.

He was here in Berlin to help us do the same, through a whistle-stop tour of what we should be thinking about when it came to information security.

In a nutshell, we should forget everything that we think we know, and completely change our mindset.

Data breaches were going to get worse, they were going to do more damage, and most of us simply weren't aware of how little we were doing about it, he argued.

"Data is the new oil," stated Jason. "Because it's just as valuable. The challenges in security that we face are enormous," he said.

Why is data the new oil?

Because it can be monetised, said Jason.

A hacker can infiltrate data, extract it, refine it, redistribute it and use it for financial and/or political gain. Data integrity attacks have the power to bring down an entire company.

And the problem was only going to get worse, he said, as the Internet of Things (IoT) – the process whereby all products and processes are linked via the internet – proliferates.

"IoT is not your traditional tech," said Jason. "It has multiple personas: the manufacturer of the device, the consumer, the cloud provider, the 3rd parties, the APIs, there are five different environments, processes – and security risks.

While you may think that we are already in the age of data, Jason said, we had barely crossed the start line. The explosion in data was yet to come, driven mostly by the Internet of Things.

"We create more sensitive data than you can imagine. Every time you click on your phone you're creating data.

"Since 2013, over 5 billion pieces of individual information have been compromised – but that's only what has been reported. They occur on a daily basis and they are never published," he warned.

That meant more data for criminals to get their hands on, he said. But the real problem was that it was so easy for them.

Passwords could easily be mined from the web, as could encryption keys, two of the major systems in use to prevent people accessing our data.

"The days of me as an ethical hacker spending weeks to gain access to an organisation" (something at which, by the way, he was 100% successful) "are gone," said Jason. "It now takes minutes, if not seconds."

But the solution, he said, lay in our own hands.

Situational Awareness

We all need to be a bit more like Jason Bourne.

Bourne, for the uninitiated, is the lead character in the eponymous series of films, who is forever eluding the authorities. He does this by always knowing and assessing what is going on around him – what our Jason calls "situational awareness". We all need to be more like Bourne, suggested Jason.

The problem is that few understand the critical importance of knowing the impact of people, data and processes, and this was the weakness that cyber criminals were exploiting.

There were those that were simply ignorant, who just weren't looking or considering the impact of people, data and processes.

And there were those that were arrogant and thought they knew it all, thinking that massive investment in the latest security products was enough. But it was that very arrogance that made them vulnerable.

In both cases, there was a serious lack of situational awareness.

A new mindset

"These problems can all be solved overnight but we need to think differently, we have to know what the risks are that we are trying to mitigate.

"We need a new mindset, we're still in the world of breach prevention. You're never going to prevent a breach, there are too many elements, data in too many places.

"We need to change our attitude to one of breach acceptance. The key is knowing what it is that you are trying to protect.

"Think like a bad guy - what do they want? They want data," he said.

"Accept that breach is going to happen, but understand what types of data you have, where it is and what the processes are, and you'll get a head start," advised Jason.  "It all comes back to the same thing; situational awareness.

"I see organisations around the world writing huge cheques for technology to solve the problem, but they don't know what it is they are trying to protect.

"Where is that data? What type of data is it? Personal? Credit card? Trade secrets?

"You have to know where it is, what the process is, how people get to it. You have to understand what the risk is. Is it a confidentiality risk? Or an integrity risk? Depending on which, you can apply the appropriate action," said Jason.

"It's really that simple. The world is all about data.  Unless we face up to the problem and solve it, it's only going to get worse."

Get articles like this by email