The number of cyber attacks waged on enterprise is growing at a rapid rate, many with a view to stealing data and extorting a company for a ransom before it is returned. Digital Bulletin speaks in-depth with Clearswift’s CTO, Dr. Guy Bunker, to find out how companies can best protect themselves to this ever-growing threat.
Can you begin by telling us a bit about yourself and Clearswift?
I’ve been here for seven years as CTO and prior to that was at HP Semantics, Oracle and some other replaces, generally in IT and security. Clearswift can be traced back to the early 1980s, but was officially established in the early 2000s. I arrived in 2012 with a view to reinvigorating the organisation around email and web security.
Email and web security are predominantly gateways and they deal with advanced threats coming in and then data loss prevention (DLP) on the way out. We also offer DLP on end-points and information governance, which is around tracking and tracing, and therefore applying policy to information as opposed to just files.
Could you speak about some of the technologies and tools you offer enterprise?
One of our key pieces of technology is something called Adaptive Redaction. One of the frustrations from businesses is technology blocking business instead of enabling it. We created something called Adaptive Redaction, which is part of our adaptive DLP, and that is the ability to remove the piece of information that breaks policy, and therefore allows the communication to go through.
A really simple example is somebody rings up an insurance helpdesk and end up having sent in their credit card number in order to get a change made through email. Traditional DLP would find the credit card number and would block the email from going out, but that creates a number of problems.
With our solution, we would just take out the credit card number, just leaving the last four digits and everything else remains the same. So, you keep that piece of collaboration going and in 99.9% of cases, the information that is being sent out is done so in error so removing it solves all of the problems. The communication continues, the good data is kept safe, the world is a happy place.
How else can Clearswift help enterprise from cyber security perspective?
With electronic documents, there are other pieces of information that shouldn’t leak, and it could be that you have a spreadsheet where a column is hidden with all the credit card numbers, or it could be even that the document properties and comments are hidden.
In order to look for these threats, we go down to the nth degree and we will even look inside an image. If somebody has taken a picture of the credit card a screenshot and tried to send that out, we will use character recognition to detect whether there is information in that which should not be leaked.
Another advantage of Adaptive Redaction relates to active content. This is where you get a malicious or weaponised document where somebody has embedded a script or some other code inside the document that activates when you open it, and that is the most popular way in for ransomware. We can strip that out and make sure that the copy that goes through is dewaponised or safe for people to look at.
You recently conducted a report following an in-depth survey – can you tell us what you found?
The key thing we found from the Insider Threat Index is that with the recent fines to British Airways and Marriott, GDPR is beginning to gain some traction. These particular fines coming out show that the ICO has some teeth and has made people realise that it’s not just lip service, companies are realising that they really need to take GDPR and compliance in general seriously.
Despite all of the best efforts of vendors and the media, it is only when things come down to money that organisations sit up and take notice, and that has come through in the survey. The real takeaway is that money talks, and if you’re taking money away from your shareholders then it’s a big deal. Money is focusing the minds of boards around the world.
What were some of the other main points raised?
The survey also reinforced that the threats companies and people are facing are changing on a very regular basis. The spread of the attacks and how rapidly they can be moved into different parts of the globe has been sped up and people need to be more aware of the threats and solutions that will mitigate a lot of those threats.
With ransomware, if you go back to 2016 there was a massive set of ransomware attacks against the German public health sector and we’ve seen that trend increase, notably in the UK’s National Health Service. The health care sector is under a barrage and for a lot of these health care organisations, the way that their IT systems are set up, attacks put them back to pen and paper. It has the opportunity to actually kill people when it jumps across the gap to control interfaces.
Where do you stand on organisations paying ransoms to have data or information returned?
I’ve always said that you don’t pay ransoms, but for some organisations that haven’t understood the impact about what ransomware can do and therefore are not prepared, they have very little option but to pay it.
But even if they are fortunate enough to get their data back – it’s something like less than 70% who do – they then need to ensure that all other plans are in place to protect that data because you can virtually guarantee that another attack will come, because nothing has been done to remove the malware or virus on the system.
With GDPR, the criminals also have another option, which is to say that if a company doesn’t pay a ransom, then they’ll leak the data because they know a company faced with a $100 million fine for a GDPR breach might be inclined to pay $10 million, but actually they can just take the money and release the data anyway. People forget that they’re dealing with criminals.
Are companies taking this threat as seriously as they should be?
Yes, but because of the threat of fines. I had a call this morning with somebody who had more than 20,000 people in their company and their security is seriously lacking. This is a big organisation, it’s not just small companies who are guilty of this. This example is in a sector where traditionally it hasn’t been attacked.
Back in the day, a cybercriminal would look at whether they could get hold of a credit card that could be monetised immediately, but if they can’t attack a bank they will go for a new sector that hasn’t previously been a target. That is low hanging fruit for cybercriminals and some of the companies in these sectors think they’ve got away with it, they think they’re immune, but clearly they are not. When there is an inkling of an issue, they start looking at their issues and ask, ‘Is it a bit late?’, and the answer is, of course, yes.
What are your thoughts on what enterprise has to do to educate its workforce?
Security has lots of old adages, but one of them is ‘defence in depth’ and part of that is you start with the people. People have to start with their awareness training and best practice, risks and consequences need to be understood. It’s often the feet on the street as opposed to the managers who understand where risky behaviour is, they can point out where they believe weak spots are.
It’s then about processes and policies, particularly around what to do if you think there is a problem, so when something pops up to say there’s been a compromise or a ransom is demanded, at that point the person needs to know who to call to sort the issue. Disaster recovery has to include cyber, and ransomware is a key risk and threat that people know how to deal with.
Last but not least is technology, which should be enforcing policy and process and backing up the people. People make mistakes that can result in security issues, so tech should help stop those mistakes becoming large-scale incidents that companies can do without.
How are technologies like AI and ML being used to battle ransomware?
With AI, there are some things that it is very good at, and much of that is around ensuring that the data you’ve got is a representative sample of what you’re looking for, in effect. There is no doubt that there is a place in the future for AI, even within small organisations, if you collected up all the incidents that happen, trying to find the wood for the trees is hard work and AI can help you narrow it down so at least you are looking at a tree, rather than the entire forest.
However, there are a number of challenges in making that happen, which is getting a baseline that is actually workable. Take a finance department, for example, we’ve got a baseline and we’re looking at what people are doing and there’s an anomaly detection picked up by AI.
But, on the day that someone is sick or is on holiday and their workload is spread across other people, that will show up as an anomaly because that isn’t standard practice. That is going to happen all the time so getting to stage where you’ve got something that is more useful than not is an issue.
How do you see this game of cat and mouse between cybercriminals and enterprise developing over the next three to five years?
There will be a move towards changing some of the information to create disruption is going to grow. If you can get inside an organisation rather than putting in some ransomware, put in some insidious changes, that is going to be effective.
The example is gaining legitimate credentials, and every day I change one digit in a phone number in one percent of the data. You won’t notice it and when you do, it might look a bit strange, you won’t realise a bigger change is happening, and that is going to become a real problem. Once you can start to do that changing, you can change all sorts of things, and that can go into personal reputation or corporate reputation.
