Posted by: Kev Eley, Senior Director of Sales, EMEA –
Picture the scene. The teenage boy was so engrossed in his computer that he ignored the shouts from his parents to stop playing a computer game. Any parent probably recognises the scene and has experience of this perennial struggle/worry about their kids excessive use of electronic devices. So a pretty normal and everyday occurrence then? Not at all. There was nothing normal about this one bit. The teenage boy in question was in fact busily attacking a company and stealing customer account records and their data using that ‘old chestnut’ – the SQL Injection. You probably think that I’m describing a very recent press item that’s been covered ad nauseum by all news outlets. In fact, the incident I’m talking about took place in 2005! Which begs the question. If the reports on TalkTalk and the alleged perpetrator(s) and methods are true (script kiddie/SQL Injection) – what have we been doing as a security industry for the last 10 years?!?!
I am, of course; being a little facetious – maybe even controversial – with that last question. There have been a number of security advances in the industry, it’s true. And yet, whenever I read or hear about a breach, I can’t help thinking about the people, process, technology triangle. Whenever I’ve worked with an organisation to help them improve their security, I’ve always been mindful of this triangle. You can have the best people in the world but if they don’t have the tools to do the job, they’re rendered ineffective. You can buy the best tech out there, but no processes governing its use, no people to run it – the same result as before. All common sense I’m sure. In my career, I’ve always advocated process improvements via software solutions but there have been plenty of examples where I’ve recommended organisations don’t invest in software tech but instead concentrate on getting the right skills into their org or improve their processes (there is a little self-interest here – a tech deployment that fails to be successfully adopted by the organisation is poison to the tech vendor). Getting the people, process, and tech mix right is as crucial in keeping the bad guys out as it is to run that mission critical app. Whether it’s the ‘script kiddie’ in their bedroom or the sophisticated organised crime syndicate; if we don’t get that ‘PPT’ mix right, we run the risk of history repeating. Again. And again. And again. Someone hit play on that Propellerheads featuring Dame Shirley Bassey track now – please!!