What I would like to have heard at eCrime Congress 2014

By Dr. Guy Bunker

Last week saw the eCrime Congress in London and Clearswift attended in both a speaking and exhibiting capacity.

It was packed. While some conferences are suffering from falling attendances, the meaty security ones are going from strength-to-strength. And while eCrime is considerably smaller than RSA; it had the same level of buzz and activity about it.

The session everyone wanted to hear was Andy Archibald’s “Investigating crime in the digital age”, where we were hoping to hear how the NCA (National Crime Agency) NCCU (National Cyber Crime Unit) was working, having morphed its previous e-Crime and SOCA Cyber incarnations. The good news was that it is still going and there is increased cross border cooperation. The less good news was that there wasn’t any real update or concrete recommendations. There was a comment that organizational ‘reputation’ needs to be protected – which was a great acknowledgement on something that Clearswift have been saying for years.

What would I have liked to see?

Well, it would have been nice to have had something more said about supporting smaller organizations, the SMB and SMEs. When we look at the business landscape in the UK, the vast majority of people work for SMBs/SMEs and they don’t have the budget and expertise that large organizations (or the government) can call on.

There needs to be a more definitive and prescriptive list for the SME/SMB to follow – written in simple, clear, easy to understand terms. It needs to cover what the risks are and the solutions that can be deployed to protect against them – along with a set of potential suppliers and solutions. These solutions should have a list of outline costs associated with them, to give the business an informed idea of what they are dealing with. For example, in the SMB/SME, the some of the large enterprise features may be traded off for ease of use.

If I were to give my top 5 guidelines for SME/SMB:

  1. Anti-virus. There’s a lot of talk of AV having died... but it is just not true. Yes, there are other bad pieces of malware, but there are still lots of viruses, Trojans and other nasties. Get a good endpoint AV security solution, install it on laptops and desktops – and make sure the virus / malware definitions remain up to date.
  2. Full disk encryption for laptops. If you lose an unencrypted laptop then you can be fined and end up in the newspaper. Not good for anyone’s reputation. You may think there is nothing to protect on the laptops – but can you prove that is the case? If not, then you will be fined.
  3. Secure email solution. Email is responsible for multiple data breaches and malware infections. So, find one which has anti-virus, anti-spam and data loss prevention. Stops the bad stuff from coming in and the bad stuff from going out.
  4. Secure web solution. We all use the Internet and more and more information is shared online. Find a solution which won’t just prevent you falling foul of bad sites and URLs, but can also help protect your critical information – we’re back to Data Loss Prevention once more.
  5. Education and awareness. While there are lots of stories in the press about security breaches many organizations don’t realise that they can use them as part of an education programme. Create a simple, regular newsletter which goes to all the staff. Highlight the latest stories and the routes taken and ask whether you might be at risk, and what you would do to prevent such an event at your organization. Even in the smallest of organizations it is possible to build up a team who takes information protection seriously – which then goes out and improves it for everyone.

It’s a tough world when it comes to cyber-crime, just ask Target or Morrisons. The only way to improve it is to work on it together and keep working on it.