Jersey urged to step-up cyber security

Friday 10 March 2017

If Jersey wants to maintain its status as a successful international finance centre then it will have to step up its efforts to defend its organisations – and there’s never been a more critical time to do it, an international panel of security experts has said.

Their comments came as part of a Cyber Security Masterclass run by the JFSC and the Security Awareness Special Interest Group (SASIG) yesterday, aiming to show local business leaders how to strengthen their protection.

According to Martin Smith MBE, security expert and founder of SASIG, which represents hundreds of organisations across the world, cyber crime – especially on finance centres like Jersey – has now reached an “industrial scale… and it’s only going to get bigger and bigger.”

“Why would you try and break in and steal physical assets when you can do the same thing online with no risk to yourself, from anywhere in the world? Even if it all goes wrong, you’ll never be caught or prosecuted,” he said of the hackers.

Our Head of ICT talks about cyber risks & reputation closer to home at today's @JerseyFSC Cyber Security Masterclass. pic.twitter.com/IP2psdFKHz

— JerseyFSC (@JerseyFSC) March 9, 2017

World-renowned cyber security expert Eugene Kaspersky, CEO of Kaspersky Lab, said the problem is that, “…there are no borders in the internet, maybe most hackers don’t even recognise this as Jersey, but they see the IP address, and they recognise bank or bank customers there – they don’t care about the physical territory.”

“They don’t infect businesses on the territory of their own country – they don’t want local police involved.”

While Head of JFSC ICT, Denis Philippe, identified sophisticated DDOS attacks – disruptive attacks aiming to shut down systems – and IP theft as key threats, he said that potentially fatal errors are frequently much less technical and occur at a human level.

Pictured: The key pillars of the States of Jersey's recently-published Cyber Security Strategy.

In fact, according to the States’ Cyber Security Strategy report, 95% of information security incidents worldwide involve human error – and cyber criminals are making the most of that.

Their techniques, Mr Smith commented, are largely based on traditional fraud methods – hackers masquerading as mutual friends or potential business authorities to gain money, or using ‘ransomware’ – a type of software that holds the computer ‘hostage’ until a cash sum is paid out, of which Jersey sees up to 8,000 incidents monthly.

“Shaking hands and signing contracts, that’s the old way of doing things. Now everything’s done online. I’m not dealing with you, I’m dealing with an image on a screen that could be you or it could not be and it’s very difficult to prove that it’s not someone else,” he explained.

Pictured: Denis Philippe, JFSC Head of IT, and Martin Smith MBE, Founder and Chairman, The Security Awareness Special Interest Group (SASIG), who both spoke at the Cyber Security Masterclass.

The Jersey government is threatened by more than 500 attacks daily, and the JFSC comes under thousands, but Mr Kaspersky says that this is “not much” in comparison to the  global picture, and even these can be clamped down upon  with, “technologies, education and government regulation.”

The priority is privacy and personal data, which are, “…one of the most critical issues. It is one of the most important things for companies and governments to regulate,” he commented.

But Mr Philippe says that Jersey, “…is making all the right moves” on this front, with the recent Cyber Security Strategy and by following the EU GDPR (General Data Protection Regulation) standards.

Under this new regulation, businesses and financial authorities have a duty to report data breaches immediately, and can be fined up to €20,000,000 if reasonable precautions are not put in place to protect data – whether through staff education or updated firewalls and anti-virus software.

Eugene Kaspersky @e_kaspersky speaking to #Jersey directors about the global scale of cyber crime #CyberSecurity #cyber pic.twitter.com/1Dqpd5RNBu

— JerseyFSC (@JerseyFSC) March 9, 2017

“[GDPR] symbolises a lot of what was previously before notification but with no penalty because it criminalises it, it focuses the attention of the board, because directors’ liability insurance falls away in the case of criminal and prosecution. So it does make the executive and non-executive boards wholly accountable personally for breaches, which has woken people up,” Mr Philippe commented.

While the legislation – which the JFSC are aiming to comply with – officially comes into force in March 2018, Mr Smith explained that good security doesn’t have to be perfect – just enough to be a deterrent:

“If you recognise the problem, you are half way to solving it. Jersey has recognised it as an issue – that is a huge step forward.

“We also don’t need to be totally secure – we just need to be more secure than the others. All we have to do is make ourselves more secure than the opposition, and the crooks will try, they’ll realise we’re on the guard, and they’ll just go somewhere else.”

Of course, such measures are costly - £2 million over a three-year period in terms of Jersey’s cyber security strategy – but, as Mr Kaspersky observes, “…they must be done.”