http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity

The EU is clearly to be applauded for this new piece of regulation that not only recognises key vulnerabilities, but also the interconnectedness of elements that all use the web. Apart from the obvious – it’s a good thing – for security professionals I think there are 3 key takeaways::

  1. Clearly TalkTalk has convinced anyone in Government that still needed convincing that something needs to be done on cyber and access risk. We had the Chancellor announcing £1.9bn of new funding for cyber in the autumn statement. We’ve also had new “viability statements” coming into force to asking for the Board’s views on the management of risk to be formally reported to shareholders. And from the EU, what looks like the start of a fair bit of new regulation. I know some of these things have been in the works for a while, but it’s clear – Government is getting involved, and all companies will face increasing workloads on security and access control to meet the new standards.
  1. By linking Amazon and Ebay in with critical infrastructure the EU are showing they recognise that breaches form a continuum and access to banking details and essential services are not completely separate things. Losing personal information is distressing, but losing control of a train would be tragic. Of course critical infrastructure doesn’t have to use the internet, but when contractors are being pushed on price and their components need to talk to each other, the internet is the only viable choice. Remember that in the world of modern automation, a train isn’t necessarily an entity, it could be a collection of components (engine, wheels, brakes) that all communicate with each other via the net.
  1. There’s also a recognition that all the security in the world won’t protect you if your employees are giving away the crown jewels. It’s often not malicious, but staff don’t take as much care with data as they should. Which is why measuring and enforcing “least privilege” is one of the most effective and cost effective steps a company can take. In case anyone is in any doubt Intermedia’s 2015 Insider Risk Report, reported 32% of IT professionals have given out their login and password to other employees, with 31% saying they would take data from their company if it could positively benefit them.

At Idax, we’re noticing changes already. Senior management want to understand their vulnerability and a quick access rights reviews has immediate benefits. One thing that we’ve done quite a bit is quick reviews of access rights. Using our analytics, we can tell within a few hours who the staff with unusual access are, which is an easy first step on the route to obtaining least privilege and staying there. What’s clear is that any company embarking on a programme to address access risk will not only be one step ahead of the hackers, but get an early start on new legislation too.