When unflattering emails from Hollywood bosses were strewn across the internet, following a massive computer hack at Sony Pictures, there were red faces all round.
But the attack – blame for which was laid at the door of the North Korea government – did more than dent a few superstar egos. It demonstrated the vulnerability of the biggest of corporations to cyber invasion.
Britain is seeing about 70 sophisticated cyber espionage operations a month against government or industry networks, the nation’s intelligence chiefs estimate.
A survey on the nature of cyber-attacks in the UK, undertaken by Oxford Economics last year, found that cyber-attacks are a common problem, with 60 per cent of respondents experiencing an attack in the last year. The study found that the cost to UK firms in terms of reputational damage is around £2.9m. The most common loss of competitive advantage came in the shape of “compromised negotiations or business ventures” (31%), followed by the “appearance of copied products or practices”.
Sir Iain Lobban, director at GCHQ, the nation’s secret monitoring, said business secrets were being stolen on an “industrial scale”.
And in his first public interview MI5’s (anonymous) head of cyber said: “There are now three certainties in life – there’s death, there’s taxes and there’s a foreign intelligence service on your system.”
His stark words are underlined by Randle Stonier, boss at Twickenham-based events agency, Adding Value.
Mr Stonier told CN: “Every company has been hacked. I like to quote Robert S. Mueller, III, former director of the FBI who said ‘I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.’ How prepared are our clients? It varies hugely. They all reference data protection and data security but some take it more seriously than others.
“One client demands that all information from their company is hosted on an independent server and they will test the integrity of our system with little or no warning. One client in the financial service sector has demanded that no information or data is held on electronic systems – it is all processed manually.”
Some reports suggest that responsibility for the Sony hack may lie with a disgruntled member of staff at the entertainment company. In a sector such as the international events industry, which relies heavily on freelance and casual staff, the possibility of a lone wolf attack remains strong.
Stonier said: “We have software that checks what staff members are downloading and it will alert us of any inappropriate behaviour, such as a member of the creative team attempting to access files to which they do not have permission.”
One of the most discomforting aspects of the Sony hack was the revelation that the company’s passwords were kept in a folder called, you’ve guessed it, ‘passwords’.
A government expert on cyber security, based in the Cabinet Office, told CN that protecting the firm often comes down to basic cyber hygiene.
He said: “If I was running a major corporation my requirement would be for people to take this very seriously. The cyber industry is moving so fast and it is a continuing process to keep on top of the threat.”
Karene El Beyrout, who organised the survey on cyber crime for Oxford Economics, said: “Firms are often not willing to speak about the incidents. We need greater transparency – that means firms sharing information, in confidential forums if necessary.”
With this in mind, GCHQ is launching a ‘school for spies’ for the country’s most talented entrepreneurs. The idea is not just for those graduates who want to spend a lifetime emulating James Bond. Whitehall officials are looking at whether recruitment to the secretive agency could be opened up to graduates who would go on to set up their own companies or work in fields such as conference and events organisation. The government is also examining whether any of GCHQ’s intellectual property could potentially have civilian and commercial applications, particularly in the realm of cyber security.
Francis Maude, minister for the Cabinet Office, said: “It is part of this government’s long-term economic plan to ensure that we have people with the right skills in order to make the UK one of the safest places to do business online. Assuring high-quality cyber security training courses, against the Institute of Information Security Professionals skills framework, provides organisations with the right assurance. This shows that the training they are using for their staff meets GCHQ’s high standards in terms of content and delivery.”
Knowledge of cyber security could become a key requirement for future employees in the event industry, but bread and butter issues of venue safety remain problematic, according to experts.
Total Post provides x-ray screening at the Counter Terror Expo at Olympia in London. Communications manage Kate Simpson said venue managers don’t always take the issue of security as seriously as they should.
She said: “Some venues don’t make a priority of checking bags and coats and they represent the biggest threat to security at an event. If a bottleneck happens we are often told just to let people through, but if you manage the x-ray procedure properly then bottlenecks wouldn’t happen in the first place. You don’t need to go as far as body scanners, x-ray machines that can check bags and packages will be sufficient for most events. Many venues don’t seem to have security in place permanently and they should be thinking about doing that. It shouldn’t take something serious to happen to make security a priority.”
David Thompson, event manager at the Counter Terror Expo said: “Tradeshows increasingly attract an international audience of VIPs from across the public, political, police, military and commercial sectors. This is reflected by the significant number of high profile speakers and visitors that are expected to attend Counter Terror Expo in April.
“The equipment, technology and services that are designed to safeguard conference venues and similar arenas play a pivotal part in protecting the public.”
Chris Phillips, the founder and managing director of the International Protect and Prepare Security Office, is a keynote speaker at the expo. He sends a bleak warning to venue operators. He said: “They are not doing enough to protect conference delegates. If a group seriously wants to mount an attack on a conference venue they will be able to.”
The head of MI5 Andrew Parker has warned that the threat of a terror attack in the UK is increasing and underlined the security services could not be expected to stop every plot.
His comments were made in the wake of a murderous rampage in France which sent shockwaves around the world.
One of the 12 people shot dead at the satirical magazine Charlie Hebdo’s offices in Paris was Frédéric Boisseau, a 42-year-old maintenance worker, employed by Sodexo, the international venue caterer and facilities management company.
Sodexo employees around the world gathered on the Thursday afternoon following the outrage to mourn the death of the father of two.
The firm’s chief executive Michel Landel said: “We all share the conviction that such a terrible loss of life is unconscionable. The tragic and unjust circumstances are reinforced by its cause, which runs so utterly contrary to our values.”
Marco Forgione, CEO at UK trade association EVCOM, told CN: “It is natural that, as a result of the horrific and tragic attack on Charlie Hebdo we are all questioning safety and security. This is particularly relevant for the events industry, including venues and destinations. All professional event organisations will have security and safety protocols and policies in place, which are reviewed and updated on a regular basis. Safety for attendees and participants at any event is a priority.
“In the UK we have a world leading reputation in event safety and security. For many years we have lived and operated under the threat from international terrorism, but due to the professionalism and expertise of our event industry we remain a world leading international event destination. We cannot be complacent, we need to ensure that safety underpins all that we do; at the same time we do need to protect the principles of a free and democratic society.”
Excel London’s chief operations officer Brian Cole said his venue would continue to gather information from organisers, external agencies and the Metropolitan Police and identify anything that could be classed as a threat to the venue or those attending.
He said: “Excel’s security department is on high alert and are instructed to report any suspicious activity. Working with our organisers and their security suppliers, we will complete risk assessments for every event, with the agreed appropriate steps or with the necessary measures implemented. We continue to work closely with the Anti-Terrorist Division of the Metropolitan Police, receive intelligence from the Inkerman Group and will adhere to any advice we receive. As a venue, we are committed to review our procedures when any significant change occurs in consultation with the relevant parties.”
The London QEII Centre’s chief executive Mark Taylor believes London has been operating at a heightened threat level since August 2014. “To ensure we maintain a high level of security, we are in regular contact with the Metropolitan Police and review our procedures based on all scenarios including terrorism incidents which have occurred not just in Europe but also in Australia, Pakistan and the US.
“The QEII Centre has always taken security as a key priority and we have recently reviewed emergency lockdown procedures in the event of a terror attack/incident. We also ensure all of our staff are well briefed and trained in the event of a security breach.”
A spokesman for the Paris Convention and Visitors Bureau said that everything was being done to guarantee the safety of visitors to the French capital. He said all sites, including tourist sites, requiring additional protection, were part of a special plan and that security had been raised “to its maximum level to ensure optimal safety.”
But how safe is safe, is a perennial question for event organisers.
This was first published in the February issue of CN. Any comments? Email John Keenan