A CEO’s Nightmare: Remote Access for Hackers
Beating the Cyber Threat
The security industry and encryption standards must evolve quicker than the use of advancing technology by organised crime, terrorists and chancers to make sure we are all protected in this cyber age, says Richard Huison, Regional Manager of Gallagher Security (Europe). The word ‘cyber’ is on the lips of many companies at the moment – and normally in fearful tones. No surprise when theft of data and disruption to business continuity is so threatening and can lead to irrecoverable damage to corporate reputations and massive drops in share value.
In April, the BBC reported research from the insurer Hiscox that 55 percent of large firms across seven of the largest economies had been subject to a cyber attack in 2019 compared with just 40 percent the year before. Another report suggests 81 percent of large firms are subject to at least one attack a year.
Cyber Threat is Nothing New
Yet most businesses admit they are poorly prepared and almost 75 percent of firms are ranked as ‘novices’ in terms of cyber readiness. The Wannacry ransomware attack two years ago affected 230,000 computers in over 150 countries in just one day that were exposed through a vulnerable SMB port. Organisations from Fedex to the Université de Montréal, from Boeing to Honda, Russian Railways to Telefonica to the UK’s National Health Service were hit. The threat is nothing new. Back in 2013, a directive from the NIS, focused on protecting critical infrastructure across Europe, said: “Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.”
With the average cost of a security breach to a large organisation ranging between £600,000 and £1.15m, it’s no wonder the cyber risk frightens CEOs so much.
Remote Access for Hackers
The trouble is, hackers can exploit the disparate systems on their networks, often through remote access granted by the organisations to third parties precisely to manage the risk.
Similarly, some manufacturers of security equipment who are expected to provide the solution, may increasingly be part of the problem! Helping organisations to counter the cyber threat is Gallagher Security’s number one priority as they want to help as a long-term CPNI-approved supplier to the home office and critical national infrastructure clients such as the National Grid.
One Million Pound Per Minute
They should know what works as the cost of a power outage on the Grid is £1m per minute so they have to be absolutely sure of their cyber resilience and that everything they plug on to their network is secure. That’s a real challenge in an era where kettles and other household appliances are becoming increasingly wifi-connected, so a hacker switching them all on at the same time could bring down the Grid. Look at the hullabaloo over the leak about the UK Government’s discussions into allowing Chinese giant Huawei involvement in 5G.
So, people should insist on compliance with the various global Government standards – such as the UK’s Cyber Assurance Products, the US’s Fips and Australia’s Type 1A – where genuine cyber resilience will be found.
This way, as the threat landscape evolves, so will the encryption standards to resist concerted cyber-attacks. It is essential also that everybody keeps application software and their Windows environment bang up-to-date for the same reason. In the UK, for instance, only a handful of the 40 or so manufacturers will offer this level of standards compliance and cyber resilience.
SMEs, where typically there is a lower level of cyber knowledge, expertise and resources, still require confidence in the resilience of what goes on their network and that it will still be cyber-safe in the future so that their security investment is future-proofed.
It is important that personal data fields reside on a secure and encrypted sequel database with a single random system-generated key code to ‘unlock’ the database, owned by the company and not any security consultants. Minimising the data that are kept and constantly removed inactive cardholders ensures a ‘Single Source of Truth’, integrated with the organisation’s HR system.
Heavy Fines for Non-Compliant Organisations
GDPR has been in force for a year now to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. Non-compliant organisations face heavy fines, which could be as high as 4 percent of annual turnover.
To illustrate the `teeth’ of this, one should consider that when the Talktalk cyber breach occurred in October 2015, affecting nearly 157,000 customers, they were fined a record £400,000 by the Information Commissioner’s Office, just shy of the potential maximum £500,000 fine. Under GDPR, if that attack happened again, they would face a potential penalty of up to £71m.
So, another important step is to pre-register all visitors on the site, to ensure they view and acknowledge the GDPR policy and give their consent for the data that is collected, then to automatically erase the visitor data once they have left. Keeping tight control of user privileges on the corporate network and enforcing a robust password policy are also key.
By ensuring all readers are fully monitored, with electronics potted and protected and full end-to-end encryption with 256-bit Elliptic-Curve Cryptography (ECC), it is possible to protect against any tampering of access control card readers. If unique keys are shared between controller and reader, then a substitute reader will not be recognised and simply will not function. The most secure card technology to use is Mifare Desfire EV2. However, a better and more cyber-secure way may be to scrap card technology all together and go for mobile credentials.
Using the Smart Phone
The smart phone with Bluetooth wireless technology is revolutionising access control and negating the need to issue cards. Not many people leave home without their smart phone these days. The same mobile device can be used across multiple sites, with fast remote secure and simple provisioning of each device.
Gallagher have been developed their mobile credentials system in conjunction with Nok Nok Labs, the same people behind Fast ID Online or the Fido alliance, which is what’s used by the banks and systems like Applepay for payments, so it’s very secure. They are ensuring their access products support either PIN, fingerprint or iris biometric authentication, when this is offered by users’ phones. They’re even working with Fitbit to put it into their and other smart watches.
Fido is an open standard alliance – with Microsoft, Google, Paypal, Samsung, Intel, Visa and the UK Cabinet Office among others as members – recognised globally as the future of logical and physical access authentication. Access credentials are issued to mobile phones using the Fido Universal Authentication Framework (UAF) protocol, which allows each user to select their preferred method of secondary authentication.
Unlike other methods, the Fido UAF protocol does not require the authenticating system to store user biometric or PIN information, so this information never leaves a user’s personal device, either during enrolment or ongoing authentication. So, secure two-step enrolment and scheduled two-factor authentication with the user’s finger or face ensure absolute security with no personally identifiable information left in the cloud.
Gallagher reinvest 15 to 20 percent of revenue into research and development, which represents almost one tenth of their workforce globally, and they are committed to two major software releases a year.