Q&A with Stephen Bonner, speaker and panelist – RANT Conference

Let’s start by hearing a sneak preview of the talk you’ll be giving at RANT?
It will be on the subject of cyber war. The way some people talk about it annoys me, so that makes me passionate. It annoys me when people use phrases like “Digital Pearl Harbour” and compare the proliferation of cyber weapons with nuclear weapons. The way we overegg some of the threats, and make them sound like significant problems when they are not that important at all, does us no favours. I think we’d be better off being more realistic about the threats and benefits.

I’ll be saying that what’s happening now isn’t war and draw some parallels between what war is and isn’t like. But I’ll also talk about what it would look like if we did have a cyber war. I don’t think cyber war is impossible or all made up but I think the use of the phrase is wrong.

Using the word “war” and describing what’s happening now in that way normalises war, which I think is a terrible thing. Cyber war is only likely if we keep making it more and more normal.

And what about the panel you’ll be part of?
I hope that will be a little more light-hearted! The other talk is more about “You’re all doing it wrong, stop it,” and this is a bit more humorous. We’ve assembled a panel of people that have never sought to be security rock stars, but given them a platform to discuss how they became security rock stars and what the benefits are. They will also be offering advice to aspiring security rock stars! It’s firmly tongue-in-cheek, though.

With such an experienced panel the audience will be hanging on your every word. What’s the message you want them to take away from that and your talk?
To enjoy it would be my advice. With my talk, it’s very much about getting people to stand up and challenge people who throw around terrifying expression when they don’t match. It’s also about changing the message around cyber war and getting people to think about the definition of war, the Geneva Convention and so on. I think people perhaps aren’t properly preparing: people should be working harder to make war less likely and also working to reduce the consequences of it.

If phrases such as cyber war and Digital Pearl Harbour are wrong, what should we be calling it?
It’s just crime and theft. It’s still bad and can damage organisations and people, but it’s a crime, not war. And the proper response to crime is law enforcement, not intelligence agencies and the military. The more we position simple crimes as military actions the more comfortable people will be with taking military action.

I’m going to talk a bit about the features we see at the very high end in terms of espionage work and compare that to war. There are not very many stealth wars; once you’ve invaded you have to stand up and say hello. Mostly what we’re seeing is crime with a bit of espionage thrown in. A denial of service (DoS) is not war, it’s a protest, a riot. You stop protests and riots by arresting and prosecuting people, not by cluster bombing. There is a line and we need to be very clear about it.

You have been involved with The RANT Events for many years now. What do you think sets it apart from other security events?
It has an authenticity; it’s people talking about what they are passionate about rather than what they are told to be passionate about. There is an element of truth to the event; it’s a way to cut through some of the hype that can dominate the security industry. There are no keynotes where a DLP vendor tells you how important DLP is, or an antivirus vendor telling you how important that is.

RANT feels very much like a community, with people engaging and being honest about the things they like and dislike. I think that’s powerful and an important step towards being a more mature industry.

Register for the RANT Conference – http://www.rantconference.co.uk/register/

Top industry professionals set to flock to London for the upcoming RANT Conference

June’s RANT conference will see a selection of top IT Security industry professionals take to the stage.

The RANT Conference in St Paul’s London is a little under a month away now and anticipation amongst information security professionals is growing by the day.

On June 11th 2013 a full day of enlightening, informative and engaging presentations and interactive debate panels conducted by a selection of of the IT security industry’s most influential thought leaders, Rockstars, Futurologists, Innovators,  and Ranters  has been scheduled.

Acumin has been running the monthly Risk and Network Threat Forum (RANT) since 2007. It serves as an end user only, informal networking, discussion and debate event for senior professionals working within the information security and risk management market.

Every month a new speaker attends to start a rant about a particular hot topic within the industry and actively encourages the audience to pitch in with their points of view, opinions and suggestions in a relaxed and informal atmosphere.

The first RANT Conference in June will see well known speakers Stephen Bonner of KPMG and Mark Stevenson of Futurologist take to the stage amongst plenty of other top industry professionals to talk about the biggest issues the sector is currently wrestling with.

Some of these topics include bring your own device – which serves up the notoriously well known acronym BYOD – mobile device management, secure outsourcing, and the major threats currently facing cyber security.

Mark Stevenson, founder of The League of Pragmatic Optimists, will also be attending to give a keynote speech on ‘The Big Shift’, highlighting the major role the security industry has to play in helping shape the future.

State sponsored espionage and the pressing issue of mobile security will also be explored later in the day by a selection of top industry RANT’ers.

The RANT Conference is designed for information security managers, directors, chief information security officers and other senior information security and risk professionals who work within end user organisations.

June 11th really is an essential date for the 2013 IT security calendar and the event is not to be missed by industry professionals!

The conference has seen a high number of registrations already, places are going fast so be sure to register ASAP to secure your spot. Discount codes are available, email Gemma on gemma@rantconference.co.uk to see how you can get one.

Q&A with Mark Stevenson, keynote speaker at the upcoming RANT Conference

logo low res

Without giving too much away, what will you be talking about at the RANT Conference on June 11th?
I’m going to be talking about the mega trends that will affect the world and what will be required of the security industry in order to respond to them.

These mega trends are part of the Big Shift (more details on that here: http://www.rantconference.co.uk/seminar/opening-keynote/), but how is that different from the digital revolution?
That was just a trailer; I like to say it is like the cocktail sausage before dinner. Everything that happened with digital – the democratisation of power and established players losing control of the means of production and distribution – will come to the physical world with programmable biology and programmable matter through 3D printing and nanotechnology.

So imagine a world where your mobile phone can give you a blood test and you can download the right drug based on that blood test and then print it at home. That’s what we’ll be seeing within the next generation or two.

That obviously has massive ethical and security implications. For example there are people using 3D printers for guns. Is there a way to allow people to download a car part, for example, but not an AK47?

That leads to the question of who regulates it…
Even whether it can be regulated; my suspicion is that it cannot. Therefore what happens to the security industry? It will have to become a ‘crowd industry’. Rather than specific people telling us what to do we will have to come together as society and work out how to secure ourselves.

So what will you be telling the Conference about how the role of these information security workers will change?
There are very difficult questions coming but they are probably the best people to answer them because they have the expertise and the knowledge and they understand more about securing distributed resources than most people.

So the question is, what is the security framework that works for individuals in a radically democratised world, where, for example, I may want to exchange my genome data with a physician in South Africa? I don’t know the answer yet, nobody does, but I think they are the right people to think about it.

How far will these changes go? What will the world look like in 100 years?
I think anyone who would attempt to tell you what the world will be like in 100 years time is either intellectually vain or bonkers. If you look at the history of futurology what you’ll see is that the predictions were often an expression of prejudice or a wish list of the person who was asked. We’re quite good at seeing first order effects: If you invented the internet it’s not a huge leap to predict email. But do you then see the invention of social media? Or its role in the Arab Spring? No.

Because of what is happening with technology all bets are off; pretty much anything you can imagine is possible in the next 100 years.

So if it’s less about predicting, what is the role of a futurologist?
It’s about getting people to ask the right question. For example I was talking to a pharmaceutical company about the prospect of printing drugs and open source drug development and what that would mean legislatively. They were then asking questions that went beyond margins, questions they hadn’t been asking half an hour before. That’s the point; they go from asking questions about profit margins on existing drugs to asking what would happen if every doctor’s surgery in the world could download and print its own open source drugs.

Douglas Adams said there are three types of technology: tech invented before you were born, which you don’t think of as technology; technology that is invented between you being born and turning 35, which is very exciting; and technology invented after you turn 35, which is completely pointless and makes you angry.

If you look at a lot of organisations the ones who decide the strategy are in the last group and most of their employees and customers are in the second, so there is a massive mismatch there.

A lot of the people you’ll be talking to at the conference may be in that last group as well.
I can guarantee that at the end of my talks people do not ask dull questions! People at the conference should be getting hold of 3D printers and hanging out with bio-hackers and so on. They should be asking, ‘what is my role going to be in this?’ and ‘how do we secure these new technologies while making them accessible?’

Hear Mark’s talk on The Big Shift at the RANT Conference on 11th June…click here to register

Privacy is always better through sepia-tinted glasses

Facebook-Acquires-Instagram

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

If you like it, Google might put a ring on it

24973P

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.

One Acronym to Rule Them All…

Image

It seems that maybe MDM (Mobile Device Management) isn’t the most effective solution to an issue as broad and undefined as BYOD (Bring Your Own Device), although it certainly is a simpler one. At a recent CISO panel, Andrew Yeomans, a board member of the Jericho Forum and regular attendee of the RANT event for end user security professionals, was amongst other senior figures in the industry calling for a more effective and rounded solution.

Since the iPhone and G1 came along and convinced us all that PDA owners were on to something after all, the issue of secure mobility has arisen beyond the need to encrypt laptops and USB sticks. This has troubled CISOs and Information Security Managers who are reluctant to tell their CEO “no”; after all information security is positioning itself as an enablement function now. So how do you tackle the problem of making a consumer device, with little inherent security, sufficiently resilient to hold sensitive or regulated corporate data?

It seems at one point about 12-18 months ago, MDM was a possible solution, now it is often heralded as the only solution. So what’s the problem, other than licence fees from some vendors can reach towards £100 per device, and that’s without support or server costs… there is of course the additional strain on already understaffed security departments as well.

So why might MDM be the great info sec white elephant of 2012/13? The main difficulty all security controls encounter is user resistance, if something isn’t intuitive or streamlined it will often be circumnavigated. MDM may sound like a good blanket solution but it is addressing Bring Your Own Device, and therefore it’s presence on a personal smartphone or tablet is incredibly intrusive. It is harkening back to the darkest days of Draconian approaches to information security and risk management. To do the job properly MDM needs to lock down the full device and in doing so impacts user experience.

MDM is one solution to fit them all. Fine your product covers iOS, but is it compatible with the iPod Touch/Nano and the latest iPad Mini too? Yes you do Android, but does that cover Froyo, Gingerbread, ICS and Jelly Bean? And what about every manufacturer’s Android OS overlay, will it work on employees’ HTC, Sony Ericsson, Samsung, Motorola, LG, Huawei, ZTE, Acer, Asus, Dell and Panasonic handsets? Then there’s the Nexus and Kindle ranges. Fragmentation is a huge problem not only for compatibility but also from a functionality and support perspective. And what about reporting, how do you manage so many disparate devices, and where do you begin with e-Discovery?

Other acronyms don’t necessarily fair any better. MIM (Mobile Information Management) is also troublesome from a security and monitoring perspective; and MAM (Mobile Application Management) is again difficult for the user to adjust to, there’s a sacrifice of native apps and there’s a whole new aesthetic and ecosystem to acclimatise to. The idea of MAM through SDKs and API wrappers, features recently announced by both AirWatch and Webroot, will likely materialise to be the most effective solution in the long-term.

As it stands, for many MDM is too obtrusive a solution for personal devices and much better suited to locking down corporate mobility assets. We’re on the right path, but there’s a lot of work to be done in balancing security, impact, and usability. Come to think of it then, BYOD is just like most other security concerns CISOs have encountered over the last decade.

Debating the importance of security awareness

It goes without saying that in this open day and age, the importance of good practice when it comes to data and sensitive information, is more pressing than it has ever been.

From emails to tweets, USB sticks to smartphones, big bundles of paper tucked under your arm, printed here and there, remotely, across the digital highway, zip, zip and away, the ubiquity of information out there is pretty amazing.

With this sheer volume of information, transmitted, shared and downloaded on a daily basis, 24/7, all around the world, everyone always on the go, life has never been easier.

Add to that the fact that it is done through multiple devices, where one you’re minute writing a paper on your Blackberry, the next minute loading it to your Apple Macbook Pro, the next sharing it via Dropbox, it is almost inconceivable, that back in the day we relied heavily on transporting things via post.

With these radical changes comes danger. Where a lot of information used to be filed away and archived in a physical sense, under lock and key, today everything is in effect online or stored on a computer, which needn’t these days be access from one spot. You can, after all, check into your home computer remotely.

It can therefore feel as though data, however well protected, is always on the precipice of tumbling into the virtual world, like a £100 pound noted fluttering in the air for everyone to grab.

Which is why it is important for organisations, however big or small, to invest in training their staff in security awareness. A lot of time, effort and money can be saved if employees – employers as well – are informed about the latest happenings in the IT industry, like, for example, recent cyber crime trends.

However, interestingly, even if such training is delivered, is it actually having a positive impact? One line of argument is that the value of such training is negligible and it is constricted by certain limitations.

Take for example the recent study from the British Retail Consortium, which found that retailers were often unaware that a crime had taken place and didn’t think it normal to report every incident they were attentive to.

Or what about the Graeme Batsman’s comments last month, who had found that small businesses were almost lackadaisical when it came to data protection. The director of Datadefender.co.uk said: “Companies see the stories about leaks and hacks quite a lot, but the main thing is people think that it won’t happen to them. We know things will increase and get worse. More people are using computers and they have to wake up.”

At this year’s RSA Conference, whose theme is The Great Cipher Mightier Than The Sword, Acumin, the leading provider of information security recruitment and risk management recruitment services, will be delivering a special debate on the matter.

Showing a commitment to promoting good discourse, Acumin’s RANT (Risk and Network Threat) forum has assembled some of Europe’s leading thinkers in this area to push the debate further.

This includes Javvad Malik, senior security analyst at The 451 Group; Thom Langford, director of the Global Security Office at Sapient; Kai Roer, a freelance author, trainer and security consultant; Rowenna Fielding, information security manager at the Alzheimer’s Society; Geordie Stewart, managing director at Risk Intelligence; and Christian Toon, head of Information Risk at Iron Mountain Europe.

If it is going to be anything, then enlightening, thought-provoking and fascinating are just a few words that come to mind. It is great when we have multiple voices of authority and experience waxing lyrical about their ideas. Here is where great debate happens.

Acumin,  will be on call throughout the entire duration of the conference to discuss any questions pertaining to recruitment. It specialises in, among others information risk management, governance & compliance, penetration testing & forensics and executive management positions.

The RSA Conference at Hilton London Metropole runs from October 9th until 11th. Register here

Online retail crime needs to be addressed

Over the last six months it has rained so much that even a mere glimpse of blue skies or the feeling of sunshine upon our skin has left us elated but nervous. It’s as if we’ve forgotten what that used to feel like, so grey and wet has this year been.

While it may have dampened – literally – our domestic holiday plans, our want to sort the garden shed out, to dine alfresco or spend time watching the world go by in the great outdoors, thankfully, other aspects of our daily lives, have pretty much continued as normal. The digital age has brought everything to our fingertips.

We might have desired to go to the cinema, but streaming videos lets us link up our PCs to our gigantic TVs; a gig might have been called off, but with YouTube, we can watch the band’s music videos; and where we’ve needed to fill up our fridge and not wanted to get blasted with torrential rain, well, with a few clicks, we’ve navigated a virtual supermarket without stepping out of the door.

Everything is possible with the digital life, but while it comes with benefits, there are always downsides. A new report from the British Retail Consortium (BRC) has found that cyber crime, or e-crime as it describes it, represents one of the biggest challenges facing retailers in the 21st century.

In 2011-12 for example, British retailers were hit hard, with breaches to network security costing, in total, £205.4 million. Of this figure, £77.3 million was lost as a direct consequence of fraudulent activity, while the remainder was calculated as projections of business lost as a result of being a victim.

The most popular type of crime was personal identity fraud, followed by card fraud in general, after which came refund fraud. Though this was the bulk of criminal activity, it was by no means exclusive, with phishing also proving to be a growing problem for retailers.

While this in itself is problematic, it doesn’t help that retailers are not approaching such crimes in the same way as they would for non-digital crimes. The study noted that 60 per cent of businesses in this industry were unlikely to report any more than ten per cent of crimes to the authorities.

This indicates that somewhere, along the usual lines of communication, something has gone amiss. Considering that the UK is a leader in online retailing, such losses are harmful to finances and reputation.

“Online retailing has the potential for huge future commercial expansion but government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth,” advised Stephen Robertson, director of the BRC.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.”

According to the expert, the study shows where efforts need to be directed. Mr Robertson said that the government, along with law enforcement agencies, need to work to develop a “consistent, centralised method for reporting and investigating e-crime”.

We welcome this. If there is, as the BRC calls for, a better, more organised system for getting businesses to consistently report, record and investigate crime, backed up with more support from the authorities, we can get a better, more detailed picture of trends in cyber crime. Knowing this allows us to build up better security measures.

After all, the last thing we want on a rainy day, cooped up in the home, is to lack the confidence to shop online for clothes, food or treats. Technology is about moving forward, it’s about high time retailers stepped up.

We could all do with talking more

There’s something to be said about good communication, whether it’s an after work chat on the crazy wages of football stars, an enlightening exchange of tweet with someone across the world on press privacy in a digital age, or a networking meeting to discuss the latest happenings in the information security and risk management industry.

It’s always good to talk, whether you’re the individual imparting your expertise on some of the pioneering ideas you have with regards to penetration testing, or whether you’re an audience member, completely enthralled by an interesting and revelatory discussion on new models of business continuity and disaster recovery.

Human thirst for knowledge, though attainable through an autodidact orientation, is often best in a collaborative environment, ideas bouncing between different minds, the result being unintended outcomes that enlighten.

Bearing all that in mind, we find it odd then that new research from the European Network and Information Security Agency (ENISA) has found that many organisations and individuals across the continent not only are unaware that they have been the victim of cyber crime, but don’t report it.

The consequence of this is a sort of fictitious environment where the actual reality of the cyber crime landscape is not as it seems. Because there’s a gap of knowledge, no coherent system of reporting, what we think we know is decidedly lacking.

“Lack of transparency and lack of information about incidents makes it difficult for policy makers to understand the overall impact, the root causes and possible interdependencies,” the authors of the report state, highlighting the problems this lack of uniformity leads to.

“It also complicates the efforts in the industry to understand and address cyber security incidents. And finally, it leaves customers in the dark about the frequency and impact of cyber incidents.”

This is in spite of the fact that in recent years, many countries, not just Europe specific, but all around the world, have stepped up their game with their efforts against cyber crime, recognising it as a big challenge to keeping order.

However, where they have fallen short is in talking to one another, keeping each other informed of when they’ve experienced major cyber crimes, and letting other European nations know of advancements they’ve made.

The reason it is important to have cross-nation rapport is pretty self-evident. We live in a global world, where movement across borders, especially in Europe, is the norm where organisations have bases in many countries. Moreover, cyber crime doesn’t care for boundaries. It can happen anywhere in the world and have an international impact.

If, as ENISA notes, there is a common approach to tackling such crimes, a uniformed approach in their reporting, and constant dialogue between experts in respective European nations, you’re already well on your way of addressing the current gaps in knowledge and denting the success of fraudsters. Otherwise we’re always going to be losing.

“Reliable and secure internet and electronic communications are now central to the whole economy and society in general,” the report said. “Cyber security incidents can have a large impact on individual users, on the economy and society in general.”

Humans are supposed to be social creatures. Let’s get talking.

Sending a message: The meaning of Google’s privacy fine

The fine levied by the Federal Trade Commission (FTC) on Google for violation of privacy laws was either in proportion to the billions of dollars the multinational tech company makes every year or so big as to send a message that such abuses will not be tolerated by other organisations.

Either way, the $22.5 million (approximately £14.4 million) is humongous. What was the crime? Well, according to the FTC, which exists to ensure that consumers are protected from dishonest, manipulative and unfair practices, Google basically “misrepresented privacy assurances” to users of Apple’s Safari browser.

This is a huge indictment of a company known for its motto “don’t be evil”. In the preface of its code of conduct, Google explains that it’s “about doing the right thing more generally – following the law, acting honourably and treating each other with respect”.

The FTC concluded that the influential company was anything but honourable in its assertion that tracking cookies would not be placed on users’ computers. This it did, which in turn meant that peoples’ browsing habits could be monitored without permission. Targeted ads could then be deployed.

“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” stated Jon Leibowitz, chairman of the FTC. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

It’s a statement of magnitude because it reinforces the importance of privacy, which has had its foundations shaken ever since the internet began to find its voice, so to speak, and when people began to “live, socialise and exist” in a virtual world. Without privacy – or the option to preserve it as we so choose– we risk being exploited and the internet becomes a playground for this

“At the bottom, the elimination of spyware and the preservation of privacy for the consumer are critical goals if the internet is to remain safe and reliable and credible,” Cliff Stearns, the US representative for Florida’s 6th congressional district, once said. You can’t dispute that argument.

An attorney from the IT Law Group says that companies should not pay lip service to privacy and if they have a practice, to stick to it. Speaking to BankInfoSecurity, Francoise Gilbert, who has far-reaching and detailed experience with data protection and information security, said that while a privacy policy is a good thing, if it’s not adhered to, it becomes inessential.

Google, while accepting the fine, didn’t have to accept any wrongdoing. It’s a strange thing given that the fine is unprecedented, and resulted in one judge dissenting on the decision. His colleagues however argued that denial of liability is not inconsistent with the “imposition” of a civil penalty. So long as Google pays the fine, then that is all that matters.

The FTC accepts that the fine may be perceived as insufficient, but to kind of steal a quote from Heath Ledger’s Joker in the Dark Knight, it’s not necessarily about the money, it’s about sending a message. The fine is part of that message: you abuse privacy, you will be hit hard. Google’s reputation might be intact given how useful it is to our lives, but other companies might not have that luxury.