Taking no compromises when it comes to security

Security stories are everywhere at the moment, so we spoke to Mark Valentine, head of information at car dealership Lookers, to discuss the current security landscape and issues around data protection.

  1. To start off with, give us an introduction to Lookers.

We are the UK’s second largest motor retail dealership with a large presence in the North of England, with profits of approximately £250 million and over 6,000 employees. We also have ambitious expansion goals and in a competitive industry, we are constantly concentrating on ways to reduce our operating costs and maximise profits to maintain our success.

As we continue to grow, the business needs to be prepared for increased headcount and activity on the network by rethinking ways of working. As part of this, we are investigating Microsoft Office 365 to enable collaboration and introducing processes to ensure all employees and customers get the same security, access and connectivity to our services.

  1. You recently changed your security vendor, what prompted this change?

Ultimately, the primary function of Lookers is to sell cars. Any product that protects us from unexpected downtime and ensures minimal interruption of day-to-day operations is vital to achieving our business objectives. Like when the US marines turned up on the beaches in Normandy, Hexis Cyber Solutions offered us a means to simplify complex matters of security and with its HawkEye G solution in place, our business is able to continue its mission seamlessly.

Previously, we relied on antivirus solutions. However, performance on the endpoint and an out-of-date engine meant we recognised that our level of security was not as robust as needed. As the business continued to expand, we needed to be able to ensure that our systems were being cleaned regularly to protect us from attracting any unwanted attention. Our new solution achieves this by using a combination complex artificial intelligence, pattern recognition, threat intelligence and real-time network sensors and agents to identify the enemy and automatically stop the threat at machine speed.

  1. Stories of security breaches seemed to be everywhere in 2015, did you have any experiences of cyberattacks?

Like all companies, we assume that we are in a continuous state of compromise and have experienced security incidents. For example, we previously witnessed the DRIDEX virus breaking out on 140 machines on our network and targeting senior financial people at month-end.

However, we have managed to evade data loss by using Hexis HawkEye G to identify IP addresses that pose a potential threat. By correlating activity on the endpoint with activity on the network, the system alerts us to any problems and automatically removes the threat to uphold our protection.

  1. Data protection is a hot topic at the moment. Do you see this as a key area for your company?

In a sophisticated cyber security landscape where cyber criminals are continuing to generate profits from their crimes then it’s inevitable that there will be data loss and personal data will be embroiled in that. However, with the introduction of the EU’s General Data Protection Regulation (EU GDPR), organisations have about 18 months to get their houses in order.

Even with the possibility of a Brexit looming, people should not be fooled into a false sense of security as the protection of personal data will remain a hot topic and legislation will be enforced. As a result, it is one of the areas that we are focusing on as a company and like many organisatons, we need to be prepared. We are concentrating on educating people and introducing processes that provide another layer of security.

  1. Do you think security is now a concern for everyone or are organisations still being slow to take notice?

Overall, organisations can be split into three camps: At the top end are companies that take it very seriously. These tend to be the businesses that deliver critical services and hold a lot of personal information, for example, financial services, insurance or hosting services. In the middle, there are the green shoots. These organisations tend to believe that there isn’t a company out there that isn't being hacked so it comes down to how or when you detect it. At the bottom of the scale are organisations that don’t want to invest in IT security and believe it will never happen to them.

Most organisations are still discovering IT security and only find out about it after a data breach. Whilst the trend towards greater governance is gathering pace, not all companies see it as a priority. As a result, we’re likely to see a spike in fines when the EU GDPR comes into effect. All organisations that handle personal data must recognise the need to have basic security policies in place and look for a solution that can automatically detect and respond to threats.

  1. How do you see the threat landscape changing this year?

The fact that technology is becoming increasingly portable means that it’s never been more important to think beyond the traditional firewall approach and move towards automated defense strategies. At the same time, cybercriminals are continuing to evolve and the landscape is broadening. Increasingly, we are seeing that perpetrators are finding new ways to target specific company types with law firms becoming one of the top targets for 2016. Finally, legislation is only going to increase.

At Lookers, we are aiming to stay ahead of the threat landscape and lay the foundations that allow the business to grow. Company security is a board-level conversation for us, which mirrors where cyber criminals like to focus their attention. As well as introducing new tools, we have also ensured that our thought process filters through into targeted actions. For example, we have educated people who deal with sensitive data on best practice security – not just our own employees, but also the manufacturers that are shoring up endpoints on our network.

Throughout 2016-2018, we will continue to see that the weakest element in security strategies are people, so it’s imperative to align staff and data security.

Introducing greater synergy between people and process through internal communication campaigns and training helps raise awareness and is the easiest business win, bringing back millions in saved time, grief and aggravation.

Image source: Shutterstock/GiDesign