On a balmy June afternoon, over 100 Women’s Security Society (WSS) members and guests gathered at Nomura’s Thameside offices for the WSS’ conference – Acting More Intelligently. The focus of the conference was given additional weight as the phone hacking judgments were revealed in the days surrounding the conference.
Attendees first heard from WSS Board Member Rowena Fell (Associate Director at Merck Sharpe & Dohme) about Merck’s insider threat programme. Rowena is responsible for over 50 countries, which gives her with a lot of languages, time zones and cultures to navigate. The tips she shared about how Merck is addressing these issues gave everyone something to think about. In particular, everyone was very interested to hear about their super hero themed employee education programme – having learnt the importance of combining training with strong policies. Giving examples of insider threats, she highlighted that organisations can no longer rely on the identification of staff wheeling suitcases of files out the door and instead need to look out for those uploading confidential information to the cloud or downloading it to a USB.
Then, the audience were lucky enough to hear from John Bree, MD Corporate Security and Business Continuity at Deutsche Bank. He gave his definition of the insider threat and the vulnerability landscape. He highlighted the importance of training and awareness, but also spoke about the importance of senior sponsorship and the need for the tone to be set from the top. As many organisations have realised, it’s not about doing only what’s legal, it’s about doing what’s right and sustainable. In John’s own words: “The how is as important as the what.”
In discussing the Target breach, he reminded the audience of the need to manage vendors and all secondary processors throughout the vendor chain.
He reminded everyone that one size does not fit all and that we need to focus on our own organisation’s insider threats, understand our own near misses, and identify patterns of behaviour and key indicators that can help us better understand the insider threat. He also encouraged the audience to ask themselves every day what they can do better and, where possible, to work closely with local law enforcement agencies.
Finally, everyone was extremely privileged to hear from Professor Sadie Creese, who is working on the Corporate Insider Threat Detection Research Project at Oxford University.
She spoke about the lessons they are learning from their detection research, explaining that there had been a shift in the acceptance of corporations in admitting when they have been hacked, but that they still cannot accept the need to admit to an insider breach, as that is still deemed a loss of control. She also talked about red flags and the need to understand changes in the behaviour patterns of employees.
Creese is engaged in a broad range of cyber security research she has plenty to offer on the topic. On this occasion, her presentation focused on something specific for the attendees of this event. She spoke exclusively to SecurityNewsDesk about her research.
“I’m currently involved in a £1.7 million research project assessing the learning around insider threats, so I’m looking forward to expanding on the content of this project and its goals during the seminar,” Creese said. “Primarily, the research is focussed on the understanding of the current level of insider threats and how organisations manage the risk. Through the research we aim to provide insight into how we can enhance the way these threats are detected, and how we can enhance the way we communicate with and educate senior management on the science of detection and the transference of this knowledge.”
Creese explained that her presentation was focussed on sharing what has been learned so far about the challenges in communication and the barrier to addressing and assessing risks
“My presentation looks a little on the psychology of people who pose an insider threat and how to spot them,” she said. “Using case studies to look at what sort of people are likely to be a risk and take a look at the nature of these types of attacks in more detail.”
The research is considering both deliberate attacks and also accidental events. Their modelling approach is multi layered, looking at what is (i) conceptual, (ii) feasible and (iii) ethical and legal. They are developing a prototype detection system and also working on teaching materials to improve education and raising awareness of the insider threat, as their research has already shown that managers are unaware and unprepared for the insider threat. Sadie did, however, confirm that there are exceptions to this rule in the banking and energy sectors.
It was clear that the audience will all be eagerly awaiting the final findings from the research project. Sadie’s final words of advice were that organisations should be seeking intelligence led cyber security.
Based on the comments and advice of all the speakers, many members will surely start to view staff who suddenly start arriving early and leaving late, or other employee ‘red flags’, a little differently in the future…
These really informative talks were followed by a lively panel discussion on the issues raised in the talks under the Chatham House rule. So if you want to be a party to these types of discussions in the future then sign up to be a member at (www.womenssecuritysociety.co.uk) and join their next event, which is being hosted by PWC in central London on 16th September 2014 from 6.30pm.
The WWS extends its thanks to Nomura for hosting the event and providing such a great space for the conference, as well as thanking its sponsors for their continued support. In the words of one of the guests, “This was the best event yet”, and there is no doubt The WSS strive to improve on that at the next one.
As Professor Creese points out, The WSS is worthy of on-going support.
“I was unaware of the Women’s Security Society until they approached me for this event,” Creese explained, “But it’s definitely something I hope to be more involved with in the future. There aren’t enough women in security and we need to encourage valuable initiatives like this to support the environment to encourage women, and men, to meet and find ways to address the issue.”