September 1-2, 2015
Ambassador Adam Blackwell
(For a PDF version please click the following link: ITSA Brazil September 2015 Blackwell Speech)
Em primeiro lugar, gostaria de agradecer a NürnbergMesse Brasil pelo convite. Estamos aqui reunidos para compartilhar nossas experiências e desafios, identificar vulnerabilidades, estratégias e soluções de segurança da informação. Agora vou passar para o inglês.
ENGLISH – [I would first like to thank NürnbergMesse Brasil for inviting me to attend and participate in this important event. We are here today as professionals in our various fields to share experiences and challenges, identify vulnerabilities, strategies and solutions linked to Information Security. And now I will speak in English]
Unauthorized access to systems and the information they contain is a threat that has risen significantly both in the number of incidents and the level of impact, particularly among private companies and small and medium sized enterprises (SMEs). It is not a matter of if but when you your business will be a victim of a data breach. Increasingly ransomwares such as Cryptolocker are being used in an effort to extort money in order to restore files. There are increasing reports of denial of services attacks against both government and private web sites (OAS/Symantec, 2014). Brazil has a malware infection rate of 32.25% (PandaLabs, 2013)with the second half of 2013 alone, recording 3,674 unique phishing attacks in .br. Cybercrime costs in Brazil have grown to an astounding amount of $8 billion (OAS/Symantec, 2014).
ICT and its benefit to business
Investing in ICT and costs
With the prospect of this reality in mind, it is important to recognize the benefits that the use of ICTs in business has brought. The increase in efficiency and productivity as a result of technological advancement is unparalleled. This has not only benefitted rich nations as there has been generation leaps through the growth of mobile banking systems in countries such as Haiti and Kenya.
The age of “The Internet of things” has arrived; but I call it the “Internet of us,” as “we, the people,” are at the heart of these new technologies that connect everything from our bodies to our phones, homes, and cars. The “Internet of things” has made our society hugely dependent on technology, mobility and data. This dependency and the growth of the now generation of society has changed the way we interface with each other and has revolutionized business processes and to a certain degree has contributed to a breakdown in trust. (Blackwell, 2015)
Cybercrime and costs to business
One of the core objectives of the World Economic Forum Global Agenda Meta Council on the Illicit Economy is to bring issues such as economic growth and the impact of illicit activities out of the shadows. We like to think of the technology enabled illicit economy, as if it were the fastest growing G8 economy. Comparatively, the Illicit economy is like that of a large G8 country, where some estimates put it at around 3.7 trillion dollars a year, representing an economy that is growing faster than many of the other legitimate economies or businesses.
Data Theft-a thriving business
Although some hackers are in the business of planting viruses and worms to interrupt business operations, most are now focused on their profit margin. Identity theft, selling your sensitive technical or financial information to competitors, abusing your customers’ confidential data, and misusing your corporate name or product brands are just some of the ways that hackers can profit from breaching your security and obtaining confidential content.
According to a report from the United States Identity Theft Resource Center, there have been 720 major data breaches during 2014, with 304 of them affecting the health industry (42.2%). Malware on mobile payments is predicted to increase as the ease to making payments online improves. Electronic financial transfers and transactions amounted to nearly US$ 1.5 trillion in 2014, and it will only continue to grow. More online value transactions will create incentives for cyber criminals.
Data losses linked to financial losses
The increase in the scope of connectivity mandates that we apply better management policies for out IT resources. The Internet of Things creates a problem of “too much”: too much data, too many new security holes to plug and too many untrained persons. The number of connected “things” is expected to increase from approximately 16 billion today to 50 billion by 2020, which would dictate the need to invest in larger storage options.
The increase in complex wireless connections such as cars, phone, Televisions, increases the potential ‘attack surface’ that is now an inherent part of IT infrastructure. Today criminal actors now have more opportunities to penetrate and compromise IT systems than ever before. The 2013 Target breach is a great example to explain how simply connecting various functions within your network not previously connected can expose you to potential attacks. It is reported that security credentials stolen from a heating, ventilation and air conditioning contractor hired to remotely monitor the stores’ energy was used by hackers access to Target’s point-of-sale systems which led to the data leakage of 70 million person personal information. i
Investing cybersecurity with practical solutions
Understanding risks internally and Training of staff
A Gartner survey showed 40 percent of U.S. consumers who work for large enterprises use a personally owned smartphone, desktop or laptop daily for some form of work purposes. Employee data loss carries a high cost:
- 45 percent of businesses with less than 1,000 employees reported mobile security incidents cost $100,000 (Dimensional Research Survey)
- Every lost laptop costs an organization approximately $49,000 in lost intellectual property and compromised data (The Ponemon Institute)
Internal attacks are increasingly becoming one of the biggest threats facing data and systems as many employees possess knowledge of and has access to networks, data centers and administrative accounts.
Employers need to closely manage and control credentials to prevent exploitation. Invest in and train your employees on cyber security best practices and offer ongoing support as many do not practice safe online habits and this puts your business data at risk. Take practical steps to hold training sessions to help employees learn how to manage passwords and avoid being victims themselves to phishing and keylogger scams. Other simple steps:
- Back up your data so that if an employee’s device breaks or they lose important files, the data is still retrievable.
- Create a company policy regarding the use of a personal device at work outlining how company data can and should be accessed.
- Outline a data recovery plan identifying who has access to the device and potential recovery options The plan also should include a contact list that identifies IT personnel, a data recovery expert and legal counsel or law enforcement agencies. 
Partnering for solutions and building trust
Organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record, respectively. Research shows that appointing a CISO to lead a data breach incident response team can reduce per record cost by $10.2 Educating business executives and workforce is also an opportunity to educate the general user as many of the steps employees should take in the workplace are the same as those security measures they should be implementing at home. Public-Private partnerships are an excellent solution to deal with these transnational issues. The public sector needs the private sector to gain access to technology. But on the other hand the private sector needs to work in tandem with the public sector to access assistance in addressing the transnational effect that cybercrime can have on their operations.
More than a national issue given extra-jurisdictional nature
To fight crime, particularly dynamic ones such as cyber-threats, it is critical to adopt models that reinforce collaboration between countries and institutions. There is no one-size-fits-all solution, and each country must find a strategy that suits its needs. The best policies are those that promote an adequate assessment of the problems, are tailored to individual needs, and engage all parties in the decision-making process.
Procedural legal requirements to facilitate cybercrime investigations e.g. 24/7 G8 network and other information sharing networks are a necessary step to addressing these issues. Just as the internet disregards borders and is an international fore so to must be the response, through international cooperation There are international mechanisms that addressing cyber security and the internet. Not only nations must be a part of this international response but business as well as they too operates internationally and within a global economy.
Netmundial and IGF Brazil
On the global front Brazil has been leading on very important issues that will contribute to best practices and internet behavior. Held on April 23rd and 24th 2014 in São Paulo, NETmundial was one step in a series of key events that will shape the future of how the Internet is governed. As an appropriate follow-up, the IGF 2015 meeting, to be held later this year will focus on the theme “Evolution of Internet Governance: Empowering Sustainable Development”. As we dialogue over the next two days let us reflect on these themes as the measures we put in place for the protection of our data will be impacted by these initiatives. These international events are an opportunity to engage multi-stakeholders not only at the national but the international level in the fight against cybercrime.
Information sharing with international community
Differences in international juridical norms hinder prosecution of transnational crime. SMART security social inclusion initiatives are applicable to not only traditional crimes but to cybercrime and other crime involving digital evidence. Leveraging on existing information sharing models such as CERT-style committees can be adopted to track criminal actions and share intelligence through established channels. Building networks to exchange best practices aids in growing the application of these best practices and mitigating the successful attacks that can be launched from border to border.
The threat from the ever increasing scope and scale of cybercrime is both real and challenging but the OAS is succeeding in laying the groundwork for integrated, multidimensional and multi-sectoral responses through private-public partnership and the establishment of a network of actors all dedicated to combating the threat that is cybercrime. The OAS/SMS has through its Cyber Security Program been promoting the issue of cyber security and its importance to business through the promotion of forums that facilitates discussions.
I will close as I begun, the issue of cyber threats cannot misunderstood as it is not a matter of if, it is a matter of when one’s business will be the subject of a cyber breach. Corporate cultures vary around the world, and there is no one right way to protect data. But the internal threats are a global problem with costly consequences. The same energy used to counter attacks from outside the company must be extended to investing in training employees on cyber security which can be your company’s first line of defense. Like outsider threats, implementing a comprehensive approach that includes education, policy, and technology is crucial to protecting your company. Those companies that take the extra steps to address these issues comprehensively will be in a better position to maintain sustainable security strategies and increase their competitiveness.
 http://www.bizjournals.com/orlando/blog/2015/04/avoid-hillary-drama-3-ways-to-keep-your-business.html and https://www.washingtonpost.com/news/the-switch/wp/2014/01/10/the-target-hack-gets-worse-phone-numbers-addresses-of-up-to-70-million-customers-leaked/