Good defence exists, attacks still happen, breaches occur – “Time for security to change.”
“Cybercrime may now be bigger than the drug trade”, quoted the City of London police commissioner Adrian Leppard.
Security breach announcements that were once a rarity in the non IT world are now BBC front page news on a regular basis. Whether it’s the attack and successful removal of data from a previous unknown (but now well known) dating site or the more recent attack and potentially successful data breach of a major consumer telecoms services provider, Cyber attacks are the norm. Is it time to accept them as a necessary by product of the relentless creation and consumption of digital data, sadly yes. But to accept they exist does not mean an acceptance that an attack should be effective when there are so many steps that can be taken to reduce the potential for success. Defending and securing IT systems are not an easy task as the approach includes people, process and systems. To keep all three security aware and congruent at all times is a challenge with that one “out of sync” moment the attack window for a hacker. Do nothing or “do something but slowly” is a sure-fire way to be the next big story on the front page of the BBC news broadcast. It’s time for new thinking, new skills and better visibility EVERYWHERE or the enterprise will NEVER be secure.
Many years ago a large IT company ran a brilliant ad campaign about the need to think differently. In the case of IT systems and Cyber security, thinking differently should include a rigorous appraisal of existing defences, a perspective on the most valuable digital assets within the organisation (and the additional protection they require) and most importantly the need for people to change the way they interact with digital systems (vigilance). To defend against an attack, it’s time to “think like an attacker” and not based on a viewpoint that attacks follow standardised behaviour, are seeking random targets and lack rigour and planning. Today’s attackers or attack teams are extremely well trained, often well funded and have razor sharp focus on the target and expected outcome. Old school thinking based on technology will fall short in this new digital age. It’s time for new school thinking based on the psychology of an attacker as that will surely deliver greater value (protection).
We are in the midst of an enterprise business landscape with an aging work population aligned with traditional IT skills needing to evolve to a revised “digital rich” skills portfolio. This new skillset is likely to be software influenced and will definitely drive the need to think differently, learn now and learn very differently. And to further compound matters the emerging work force of Generation Y and Z thinkers may not be viewing Information Technology as the “must join” profession of circa 25 years ago. Modern enterprises face the quandary of an old workforce with dated security skills, coupled with a new workforce with skills too new to make an impact – who then will solve the security challenges we currently face? Sadly the skills problem will not be resolved overnight with a major investment in academic level cyber awareness, new age security skills training on mass for existing networking and security personnel plus enhanced employee security education as a mandatory activity within all enterprises. It’s time for enterprise organisations to encourage everyone who embraces the benefits of IT to also part be of the solution to the cyber security challenge.
There has been an age old management quote highlighting the difficultly managing things that can’t be seen – so why believe it to be different with data and information technology outcomes. Digital data is now the DNA of modern enterprises with the potential to ignite ongoing success or collapse an organisation to failure. Full visibility of data from edge to core with the potential to preempt attacks or fast remediate breaches is now an essential element of the enterprise IT systems operational playbook. Breaches will occur in a digital data rich enterprise due to the challenge of continually appraising human, IT and non IT systems behaviour in context and in sync. However enhanced visibility leveraging optimised data analytics can highlight anomalies or areas for further investigation earlier with the hope it’s early enough for the correct intervention prior to a breach. And if an when a breach unfortunately occurs, “flight recorder” type data playback of the pre and post breach state will accelerate the time to triage and remediate plus reduce the potential for a mirrored attack. Many highlight “encryption everywhere” as one of the most impact full strategies for data protection and the emerging and very interesting “software defined perimeter (SDP)” approach (zero trust access control and data movement) as instant fixes. There is no doubt that both will be highly effective protection elements but only as part of a wholesale rethink of security defence, protection and breach remediation.
Enterprises MUST now change their approach and security solutions expectations. The increased use of mobile solutions, cloud computing and virtualisation are not creating a problem for security professions but instead delivering the potential to “reset” security protection and defence within the enterprise. The days of “adding more layers”, often bigger or higher than previously delivered are no more – instead it’s time to design a solution for an enterprise in a state of continual attack not in “comfortable defence”. Effective digital systems security WILL be a primary business enabler in the digital age as enterprises that fail to defend well, remediate quickly and understand attacks may not survive for long enough to fully recover.
Until next time.
Chief Technologist – Networking, Security, UC – Computacenter UK