20th annual e-Crime & Cybersecurity Congress
2nd & 3rd March 2022 • Park Plaza Victoria, London
20 years ago, e-Crime was new, and cybersecurity embryonic. Today digital threats undermine everything from our hospitals and schools to our democracies. So, how can government, infrastructure providers and solution vendors do better to keep business, society and individuals safe?
More significantly for those watching the emerging world of digital threats, a new infection technique appeared: users no longer needed to download files – visiting an infected website was enough as bad actors replaced clean pages with infected ones or ‘hid’ malware on legitimate webpages. Instant messaging services also began to get attacked, and worms designed to propagate via IRC (Internet Chat
Relay) channel also arrived.
Cybersecurity was in its infancy. It was a niche, geeky, IT specialism. Companies, in general, paid it little attention. And not much changed for a number of years. Today, scarcely a day passes without news of a significant attack; single attacks are costing companies tens and even hundreds of million of dollars; politicians are raising cyberespionage at global summits and losses due to cybersecurity are
forecast to hit $10.5 trillion in 2025.
The regulators are on the case. Operational resilience in critical sectors of the economy is now a key focus. Data privacy legislation is well established. And fines for cyber-related misconduct are beginning to be imposed. Just recently, the U.S. Securities and Exchange Commission (SEC) signaled a significant change in how it thinks about what constitutes a threat to companies: It now considers cyber
vulnerabilities to be an existential business risk.
This was evident in fines levied against two companies over inadequate disclosures of cybersecurity issues — British publishing company Pearson PLC and First American Financial Corp. In mid-August, the SEC announced that Pearson had agreed to pay $1 million to settle charges that it misled investors following a 2018 breach and theft of millions of student records.
And in June, the SEC announced another settlement and $500,000 fine against real estate services company First American Financial for lack of disclosure controls following the discovery of a vulnerability in its system that exposed 800 million image files, including Social Security numbers and financial information.
These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches.
"The cybersecurity landscape we see now in the UK reflects huge progress and relative strength – but it is not a position we can be complacent about. Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK's boardroom thinking," said Cameron during a speech at Queen's University, Belfast.
"The pace of change is no excuse – in boardrooms, digital literacy is as nonnegotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their finance director and general counsel.”
Law enforcement resourcing, and indeed the resourcing of cybersecurity in the public health, education and council systems is laughable. It’s time for government to put its money and power where its mouth is – and not just at the glamorous, GCHQ, offensive cyber, end of the spectrum. And the model needs to change elsewhere. With increased dependencies on a handful of large telco and IT providers, governments need to grasp the nettle of regulating these providers too.
The fragmented and confusing security solutions market needs a shakeout: should a globally significant threat to public health and safety and business viability be left in the hands of hundreds of small start-ups almost all of which are no use to the SMEs who make up most of the economy?
And the NCSC and government need to take responsibility for the slow pace of cybersecurity literacy and effectiveness. The digital portfolio passes from minister to minister like an unwanted relay baton. Initiatives on fraud – the largest single crime area in the UK today – have been little short of farcical.