PSIJanuary2018
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ACCESS CONTROL<br />
(from previous page)<br />
organisations with access control systems that<br />
feature outdated protocols. It should also<br />
remembered that even when biometric devices<br />
are used there are hacking tools out there that<br />
make these systems equally at risk of attack,<br />
unless proper actions are taken.<br />
The internal threat should also be considered.<br />
For instance, organisations can no longer rely on<br />
the transactions on an audit report being<br />
acceptable as proof of someone’s activities, as an<br />
individual can simply claim it was not them and<br />
that their card must have been copied. In<br />
addition, many corporate compliance rules can<br />
easily be broken by employees modifying their<br />
passes to perform actions such as breaking the<br />
banking rules on compulsory holidays, engaging<br />
in secure document printing, and logging on to<br />
unauthorised computer and other IT equipment.<br />
The possible consequences of not taking this<br />
issue seriously are numerous. According to the<br />
UK’s National Crime Agency (NCA) cybercrime has<br />
now surpassed all other forms of criminal activity.<br />
The NCA’s Cyber Crime Assessment 2016<br />
recommended stronger law enforcement and<br />
business partnership to fight cybercrime, with<br />
‘cyber enabled fraud’ making up 36 per cent of all<br />
crime reported, and ‘computer misuse’ accounting<br />
for 17 per cent. The report also suggested that the<br />
problem is likely far worse than the numbers<br />
suggest, noting that cybercrime is vastly underreported.<br />
On the look out<br />
Maybe these figures should not come as too<br />
much of a shock considering that infiltrating IT/OT<br />
systems simply involves the use the card reader<br />
protocol to enter a facility, allowing access to<br />
computers. Those computers then act as a<br />
gateway to the target’s internal internet, allowing<br />
a hacker to access sensitive data that can be used<br />
for a variety of purposes including identity theft<br />
and industrial sabotage.<br />
The amount of personal and corporate<br />
information now stored via networks is growing<br />
exponentially thanks to the Internet of Things<br />
(IoT). Estimates about the amount of connected<br />
devices set to be in use over the next few years<br />
vary enormously. According to Intel, the IoT is<br />
predicted to grow from two billion objects in 2006<br />
to 200 billion by 2020, when there will be around<br />
26 smart objects for every human being on Earth.<br />
Meanwhile, IBM claims that every day we create<br />
2.5 quintillion bytes of data – according to the US<br />
definition that’s one followed by 18 zeros – and to<br />
put that huge number into perspective, it equates<br />
to filling up 57.5 billion 32Gb Apple iPads.<br />
Data protection is an area where failure is not<br />
an option – security, legal and regulatory<br />
compliance is vital, while data loss and leakage<br />
risks must be mitigated. On 25th May 2018, the<br />
General Data Protection Regulation (GDPR)<br />
becomes European law. Its primary objectives are<br />
to give citizens and residents control of their<br />
personal data and to simplify the regulatory<br />
environment for international business by<br />
unifying the regulation within the European Union<br />
(EU). It requires any organisation that operates in<br />
the EU, or handles the personal data of people<br />
that reside in the EU, to implement a strong data<br />
protection policy, encompassing access, secure<br />
storage and destruction.<br />
Action plan<br />
Organisations have to be more aware than ever of<br />
how to protect themselves against hackers and<br />
although it is the IT network infrastructure that is<br />
the focus of attention in terms of preventing such<br />
attacks, a comprehensive risk evaluation requires<br />
Organisations can no<br />
longer rely on the<br />
transactions on an<br />
audit report being<br />
acceptable as proof<br />
of someone’s<br />
activities, as an<br />
individual can simply<br />
claim it was not them<br />
and that their card<br />
must have been<br />
copied<br />
36<br />
www.psimagazine.co.uk