By Eimear Dodd freelance journalist/writer
Some insights from Rob Norris, Vice President Head of Enterprise and Cyber Security Fujitsu EMEIA who spoke with us at the recent Fujitsu Forum in Munich. The interview has been condensed and lightly edited.
Can you tell me a little about your role in Fujitsu?
I head up Fujitsu’s Enterprise and Cyber Security business. I am building the cyber business for security in Fujitsu in EMEIA (Europe, Middle East, India and Africa). We have cyber-capabilities in terms of our security operations centres (SOC). Our cyber personnel operate out of these and deliver security services to customers. It can be anything from managing their firewall, their intrusion detection devices or their anti-virus. We monitor for attacks or threats on those clients and respond accordingly.
At the same time, we provide professional services to organisations. Should they have problems or if they want a cyber health check, we’ll provide those services. Likewise if they buy products, we can help organisations with implementation. They can then manage the products themselves or we can manage it on their behalf. It’s full cradle to grave from selling cyber security products, implementing them and managing them.
Is there a security operations centre in the Demo Centre here at Fujitsu Forum?
There is. The SOCs monitor and manage clients’ devices remotely. They will watch for activity. We will monitor the firewall. We can make policy changes to the firewall, if the client wants to allow access from a company or an individual. We also manage intrusion detection devices. If people are trying to gain access to that device, it will trip a monitored alarm. In our SOC, we collate that information and what we do is look at those alerts. If there is any suspicious traffic or behaviour, we can investigate and if needs be, we can respond accordingly. We’ll investigate to make sure that an individual hasn’t gained access and organisations haven’t been penetrated. Where there might be a problem, we can then provide resources from the SOC to remediate the problem or on site to help address any issues if there has been an attack.
Is the challenge not just people who are trying to maliciously hack into systems but also business practices?
If you look at it, the number one way to gain access to a company is still through a phishing email. Organisations need better training programmes to make sure that employees know what to do if they receive an email they weren’t expecting from somebody they don’t know. Before you open that email, have a think about it. Should you open it? If you don’t recognise the header of the email, don’t open it. Maybe go and have a conversation with the IT department or if you’re unsure, delete. That’s one way that we’re still seeing people gaining entry.
And then other issue, it’s all about making sure systems are patched. If organisations do simple things like patch systems and make sure passwords are changed regularly, then it reduces the odds that they’ll be compromised outside of a phishing attack. Just doing the basic things can keep them protected.
If a phishing email comes through and causes an issue, as long as you’ve backed up the information then you should be secure. WannaCry was a good example because it affected a lot of organisations. Some hadn’t patched. Other organisations didn’t necessarily have an up-to-date back- up. So it’s basics.
— Eimear Dodd (@dodd_ec) November 10, 2017
Does security come down the list of things that organisations think about sometimes?
I think it’s starting to come up the list. I think security is a bit like an insurance policy on a house. Some people think it’s never going to flood or I’m never going to be broken into. They take a risk and don’t have an insurance policy.
Some people look at security as an insurance policy they might never use. But, I think what they need to think that the risk is a lot higher than it’s ever been. We preach to organisations now it’s not a case of if you’re going to be attacked but when. Everyone’s email addresses are out there. People are making information available about themselves. All you need to do is send a phishing email to one of these email accounts and make it a bit more personal with information about the individual that you’ve got from Facebook or another social media site.
I think that’s been an issue that security has been seen as a policy that would never be called upon. If you do need to call upon it, you need to make sure you’ve done the basics to protect yourself.
With recent high-profile cases like WannaCry, has this negative publicity made people more aware of the importance of security?
I think the good thing is people are becoming more aware. In the past, I think people have viewed security as a company problem. I go to work and the company worries about that. I think WannaCry affected people personally. Operations and hospital appointments were cancelled. This made it more personal because it affected a lot of people who then took notice. Actually, cybersecurity does affect my daily life. So I think we are seeing much more visibility.
And again, if you look at the phishing emails, a lot are targeted at the individual to get banking information or assets. As more individuals become targets, more people will take notice of what they need to do. Two or three years ago, hackers were targeting companies to try to steal intellectual property. Now, opportunistic thieves are coming in. They’re after personal information either to use it themselves or to sell it on the dark web for financial gain.
Is cybersecurity an enjoyable area to work in?
If you go downstairs to the Demo Centre, you see the guys in the SOC and they love it. Every day is a different. It’s not mundane. They’re pitting their skills against some of the blackhats. You always have to stay one step ahead of the competition who are the hackers in this case. Technical people thrive on a technical challenge and cybersecurity gives them lots of that. The trick for us is to make sure we demystify it so that people understand cybersecurity and the risks. It’s important it doesn’t become this black art that everybody is worried about.
Is there anything you’d like to add/that you think I should have asked?
In terms of cybersecurity, we’re now providing products in addition to our services. I think username and password will go in the next three years. It’ll be about biometric security. People will use two factor authentication. It might be voice, facial or finger. For example, our PalmSense technology will read a hand by looking at the blood pattern in the palm. The sensor senses the blood flow and vein pattern. If the blood stops flowing, it wouldn’t read the palm. We’re working with companies to put this onto petrol pumps. People will be use it to pay services. It could be used to access your car in the future. It’s clean and one of the technologies that are coming from a biometric point of view.