Talking cybercrime and data security with IBM’s Carmina Lees
Tim Compston, Features Editor at SecurityNewsDesk, speaks to Carmina Lees, the Director of IBM Security in the UK and Ireland, about her high profile role within the business and whether she feels there is any antidote to what is, undoubtedly, a soaring cybercrime pandemic.
I start our interview by asking Carmina whether a globe-spanning solutions provider like IBM is well placed to take the lead on picking-up and sharing ‘actionable’ intelligence on new, and emerging, cybercrime threats. Without hesitation she replies in the affirmative: “On yes, definitely, we have over 12,000 clients now in 133 countries and, because we have our research and development arm and our managed services, we can obtain a lot of data and security intelligence from the clients we manage,” says Carmina.
Setting the scene on how she came to take-up her current position at IBM, Carmina tells me that it all stems back to 2014 when the business announced a set of strategic initiatives which covered: cloud, analytics, mobile, social, and security, with a big emphasis on security. As part of this process she was asked to become IBM’s security lead for the UK and Ireland. Since then one of her primary tasks as Director of Security has been to oversee a radical transformation in the way that services and software are delivered to IBM’s clients on this side of the Atlantic: “At first my remit was predominantly on [security] services but as we evolve we are now moving to one integrated unit so all of the services, and all of the software, are effectively one pillar within IBM.” Carmina says that this shake-up was very much in response to client demand: “It is what our clients were asking us for and, in fact, we are one of the only organisations in the marketplace that can offer such an end-to-end security roadmap.”
She admits that for many organisations the cybersecurity landscape can, at times, appear very daunting: “This is such a big competitive marketplace. Some organisations have gone out over the years and bought so many different products to help them, in one case I have heard of them trying to work with 45 products from multiple vendors. A constant message that we are hearing from people is that they want to build a security roadmap but that they just don’t know where to start.”
Carmina feels that dealing with the sort of ‘joined-up’ integrated security business unit that she now oversees for IBM in the UK and Ireland is paying dividends for clients by simplifying things and allowing organisations to move away from a more piecemeal approach: “We can help them [clients] from a consultancy point-of-view, from a software point-of-view, and managed services, to build their roadmap because it is still a bit of a minefield out there.”
Regarding the trends she, and her colleagues, are encountering on the cybercrime front, Carmina reckons that, increasingly, the cyber threat is centred around what she refers to as ‘social engineering’ with IBM finding that human error is a contributory factor in 95 per cent of information security incidents. The common ways in which this is manifested are, apparently, people ‘double clicking’ on an infected attachment or an unsafe URL: “The technology that attackers are deploying is certainly very sophisticated. We have conducted a great deal of research around this. Cybercrime is more organised now given the tools, and skill set, that they [the criminals] have at their disposal,” she explains.
Turning to the real-world financial implications of this virtual crime wave as more undesirable elements are up to no good online, Carmina is keen to put some figures on the losses organisations have suffered to date. She references the findings of a 2015 Ponemon Institute study, conducted in association with IBM, which examined the costs incurred by 39 UK-based companies from 12 different industry sectors following the loss, or theft, of protected personal data.
Carmina tells me that the research discovered, for instance, that the average cost of a data breach in the UK has risen by seven percent over the last two years to a staggering £2.37 million and – to put it another way – the average cost of a lost, or stolen, record now sits at £104: “Data breaches cause clients a whole host of problems,” says Carmina, “It is a few things: it is reputational, it is brand, and it is obviously financial. We have seen it in the press. When you get the big names involved it has a tremendous impact on their clients and customers confidence. Although many breaches don’t make the headlines at first when they do come out later they tend to erupt,” reflects Carmina. She believes that the rising cost of data breaches adds to the imperative to adopt new ways of thinking.
Carmina goes on to say that, increasingly, organisations need to be conscious of the threat that can emerge from within: “This is something which we are finding more and more companies are struggling with.” She says that an internal breach can result from ‘malicious insiders’ or ‘inadvertent actors’ – accidently doing the wrong thing and clicking on something – a reality which was evidenced in the IBM 2015 Cyber Security Index report which found, worryingly, that 55 per cent of breaches were caused in this way: “This has certainly happened a great deal in the marketplace.” To protect against internal issues, Carmina tells me that as a starting point organisations should take steps to identify their ‘crown jewels’, whether that be specific data or a website, and who, internally, has access to this valuable resource: “What is alarming is that you have some employees who are just not happy and still have a way to reach certain data.” She stresses that it is all about getting the message across regarding the need to have tighter controls around these so-called ‘crown jewels’.
Bring your own device
Expanding on the employee piece of the cybersecurity jigsaw puzzle, discussion turns to new emerging threats and the prevalence of ‘bring your own devices’ and ‘cloud-based’ apps at work: “A lot of companies encourage people to bring their own devices but then these are linked into their network,” says Carmina. She confirms that IBM has launched a new product – IBM Cloud Security Enforcer – to help mitigate the risks here: “You don’t necessarily know what apps employees have on their smartphones and what they are clicking on during the day which is leading back to your network. As clients are moving to a cloud model they need security to underpin that too.”
Essentially, when employed Cloud Security Enforcer combines cloud identity management with the ability for companies to discover which outside apps are actually being accessed by their employees. Underlining the way that cloud solutions are taking-off, Carmina confirms that IBM’s cloud business has posted double digit growth in the last two years: “Security for us is now seen as underpinning our cloud, mobile and analytics businesses.”
Taking a broader perspective on things, Carmina draws an analogy from the medical world to illustrate just how pervasive, and fast moving, cybercrime can be. Basically, in her view, cybercrime is akin to a ‘global pandemic’. Carmina presses home the point that there is an ever-greater need for public and private sector collaboration to contain damaging cybercrime outbreaks. She confirms that this is something which IBM will continue to push strongly for: “Left unchecked cyber threats can quickly spread and infect businesses and governments alike,” says Carmina.
She is disappointed that, to date, the vast majority of organisations have been reluctant to share the security intelligence they collect and put this down largely to proprietary, legal, and sensitivity concerns. Carmina is adamant that this data is crucial in the ongoing battle with the cybercriminals: “We cannot afford to keep it to ourselves for a moment longer,” she concludes.
Looking ahead, Carmina believes that it makes much more sense for companies involved in the cybersecurity arena to actually compete on their ability to deliver actionable intelligence to clients using threat data, as opposed to simply providing the data itself. Already she says that IBM has taken a strong lead here: “We opened up our own extensive threat database, the X-Force Exchange threat intelligence network (20 plus years of data, 700TB) last April, as a catalyst to spark this global collaboration that should help to safeguard our economies and privacy.”
According to Carmina 2000 plus organisations are now participating in this ambitious initiative, with the number growing all the time: “This [the X-Force Exchange] is a cloud-based platform which is able to pull together all of that security industry data across key industries. Basically you can go in and see what the common themes are for your sector such as retail. We have had a really positive response so far,” says Carmina.