Europe: The weakest link

Author: | Published: 15 Dec 2016
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

When the UK's Tesco Bank was hacked in November, and the criminals made away with £2.5 million ($3.1 million) from 9,000 customer accounts, it was called the worst cyber-attack in British banking history. The firm's response involved a call to other banks to work together as an industry, to protect consumers and the financial system as a whole.

But parallel reports from multiple sources claiming that the firm repeatedly ignored warnings of holes in its defence mechanisms are somewhat troubling. It seems no matter how thick and fast the examples come, companies continue to pull the wool over their own eyes when it comes to cybercrime. Too often it's viewed as a distant and unlikely threat that presents itself purely on digital platforms – which, it's becoming increasingly clear, is categorically untrue.

In fact the majority of cyber-attacks these days have a social engineering element to them. This can be anything from clicking a link in an email or unwittingly sharing sensitive information on social media, to finding a lost-looking USB in the car park and plugging it in to a company computer to find out who it belongs to.

Humans are the weakest link in the online world – a vast, boundless chain with weak points dotted along it. All hackers have to do is identify those weak spots, and they're in.

That's why experts are calling now for the so-called security onion, a defence mechanism consisting of multiple layers of control functions – as opposed to the conventional approach of building a perimeter around the business and hoping no one penetrates it. You can have the best firewall in the world, but if it can be eliminated in one fell swoop by an overly trusting employee opening an email, there was very little point in the first place.

We are all especially vulnerable because we're still in the pilot phase of the digital world. None of this has been done before; we're all little more than guinea pigs in an extreme case of trial and error.

But how many companies must be made an example of to make others listen? Reported attacks on companies in the UK alone have risen from five in 2014 to 75 so far this year, and that's just what's been reported. Information security sits in a legislative vacuum at the moment, unsurprising given the law has always struggled to keep up with society, let alone technology. Reporting incidents is not mandatory in most jurisdictions, and it's not attractive either – the reputational risk can easily do more long term damage than the financial one. The real numbers are likely to be much more dire.

So the EU's Network and Information Security directive, adopted in July, is a start. Among other things, it introduces mandatory breach notifications in some areas, which may have the indirect consequence of shaming some organisations into boosting their defences. If it wasn't clear from the beginning then it's certainly clear now that cybercrime is not going anywhere. The attacks are only going to become both more frequent and more sophisticated as time goes on. So if embarrassing people into taking information security seriously is what it takes, then bring on the headlines.