Wednesday, December 07, 2016

The cost and benefit of cyber security

I have been asked to give my views about what has to be provided in the legislation on Cyber Security.

My reply focus on the following points:

1. How serious is this threat?
2. Is the threat being exaggerated?
3. Can we identify the risks before spending a lot of money to counter the risk?

The possible threats are:

1. Cyber attacks that lead to internet infrastructure being brought down
2. Theft of money from bank accounts
3. Stealing of personal information

We need to understand if these threats are so serious that they merit action by the entire community.

Recently, the fibre broadband network of Sing Tel was brought down. Was it caused by a cyber attack or was it just carelessness by the operator? The service was restored within 24 hours. It was troublesome but we can live with it, if it occurs quite rarely.

If we get network being brought down regularly by cyber attack, we face a real threat. If not, we should wait and see if this threat is real before taking expensive preventive action.

There were a few cases of money being withdrawn from ATM machines due to criminals. Criminals will also break into houses to steal money and property. How serious is the hacking of ATM machines? The banks are already taking appropriate action. Is there a need to raise the level of security?

A more useful response is the audit function. If there is stealing of data and money, it should be detected soon after the event. It may be difficult to prevent criminals from all of their activities. It may be more useful to focus on detection and prosecution.

I am also not worried if my personal data, stored in several hundred databases, are stolen. It usually has my name, email address and maybe the password. If the criminal wishes to try using my password to access my other accounts in other websites, they are welcome to do so. Even if they place a fictitious online order for me, so what? They still have to make payment.

I am more careful about the password for my bank account and paypal account.

The real risk is with the stolen credit card details to make unauthorised payments. This is an area where the banks can strengthen their infrastructure, They should allow the customer to set a pin for their credit card and require the pin to be used for online and offline payment. The use of the printed CVV number is inadequate. It should be replaced by a PIN that is not shown.

I suspect that a lot of the hype on cyber security is created by the security firms. They use this opportunity to promote their services to prevent the threats. Often, the cost of the prevention is higher than the loss from the criminal activities. It is better to spend a smaller sum of money on detection and prosecution.

No comments:

Blog Archive