On May 29th, I attended Talk*Infosec.
Talk*Infosec goes hand-in-hand with recent IISP East Midlands events aimed at building a vibrant Cyber Security cluster in the East Midlands.
Afterwards, the speakers were joined by Nexor’s Colin Robbins for a panel discussion.
One common theme that arose was that companies are still not taking Cyber Security seriously enough. Colin Robbins observed that for all the statistics about the likelihood of attacks and the cost of being compromised, one need only look at Sony (http://en.wikipedia.org/wiki/PlayStation_Network_outage) to see that despite a pretty major breach, the business suffered only temporarily. Could it be that the consequences are not enough to warrant a serious response – perhaps companies would rather take out an insurance policy to cover such eventualities?
The places where Cyber Security is taken seriously are the places where loss of life is possible. One need only look at Stuxnet to get a feel for the horrendous possibilities. But while it’s getting more common to see headlines about big companies like Sony being breached, I’ve yet to see the headline: “Big Company X goes bankrupt after huge cyber attack”. The truth of it is that the end user now sees the occasional breach as inevitable, and accepts having to occasionally change their password. In the case of Sony, the most notable effect was that users couldn’t play online on their PlayStation for almost a month. It’s not ideal, but nobody’s going to die and the service will eventually recover.
A month is a pretty long time, but clearly it has not had a drastic effect on the success of the PlayStation brand. But if it had been even longer, or more seriously if it had started happening with some regularity, I suspect that Microsoft’s Xbox division would have started making some serious cash. At that point – when the consequences are seen less as a one-off cost and more as a fatal blow – you can bet the farm companies are going to start taking this stuff pretty seriously. It’s surely only a matter of time before a particularly talented villain says to himself “I don’t really like this company, I think I’ll destroy it”. That’s when realisation will set in.
The whole situation can be summarised with an old saying: it’s all fun and games until somebody loses an eye. The question is, can we convince people to buy safety goggles before it happens, or are we doomed to wait until the day after it does?
(I wonder if there’s money to be made selling eye-patches?)
There was one other common theme that arose in the panel discussion: the war of security and convenience. Check back soon for details on that.