When and where cyber security took a wrong turn? And how you can regain control of your company’s security posture
by Ian Cook
The cyber security industry appears to be struggling to keep pace with a seemingly never-ending stream of new vulnerabilities exposing organisations to ransomware attacks, corporate espionage and worse. Trade shows such as InfoSecurity Europe 2017 host hundreds of new “off-the-shelf solutions” that claim to provide cybersecurity at a stroke. The million dollar bet here is whether a custom made solution based on the company’s precise needs with full interoperability would be possible.
Galvanised by a slurry of recent cyber crimes such as the Wannacry ransomware attacks that temporarily crippled organisations in 80-plus countries, gullible chief executives open their wallets in the mistaken belief that their cyber security problems can be solved simply by throwing cash at them. Meanwhile, malicious cyber attacks continue at an alarming, although still largely unreported, rate. Compulsory reporting of cyber attacks and potentially huge fines are also set to kick in when the EU’s General Data Protection Regulation (GDPR) comes into force in May 2018, an eventuality for which many organisations are still woefully unprepared. Such circumstances have ranked cyber security as number one priority for a company’s well being.
The reason so many organisations are finding it almost impossible to cope with the current cyber crime tsunami is that, somewhere along the line, cyber security took a wrong turn and never looked back. In the early years of the digital age, it was a relatively straightforward matter to safeguard crucial corporate data which ran on systems situated within closed environments much like a castle with a moat and drawbridge. Thirty years ago, access to these Data Centres or “machine rooms” housing corporate systems was only given to trusted personnel. The environment was strictly controlled; no new hardware or software was introduced without the Data Center Manager‘s explicit approval. Access to corporate systems and data was based on a need-to-know principle. Cleaners, engineers, and other visitors never entered the room unless escorted.
But by the mid-1990s, companies across the world suddenly became aware of something called the internet, which enabled free communication between any connected computer on the planet. Initially, organisations were cautious; a single computer might be connected to the internet for research purposes. But, in order to access exciting new applications such as email, corporations soon began to connect more and more work systems to the internet.
At the same time, busy executives started taking their portable computers home at night. Where once, conscientious staff struggled home with huge brief cases stuffed with documents and reports, a new generation of laptop computers meant they could have access to all the data they needed anywhere with an internet connection. Soon the line between business and home computing became blurred. As computing technology improved, portability became the IT industry’s new watchword with manufacturers racing to produce the sleekest and lightest laptop computer. By the end of the century, a new short-radius technology called wifi enabled laptops to connect to the internet even when outside the office or the home. At the same time, mobile phone makers were promoting connected devices such as the Nokia Communicator, the granddaddy of today’s smartphones.
Users can now access their favourite movie, catch up on the latest news or keep in touch with friends and colleagues using a growing range of lightweight pocketable devices. Being away from the office is no longer seen as an excuse for missing an important email or failing to read your boss’s latest tweet. Conscientious employees like to be seen to be “always-on”, responding to international communications at what would, only a generation ago, be seen as wildly unsociable hours. At the same time, people increasingly bring their home life into the office, booking bargain holidays during the Friday afternoon office lull or making social arrangements from their work desks.
Many pundits and social commentators see this trend as evidence of a new shift in people’s work/life balance and more enlightened organisations allow some staff to work from home. Those whose work involved travelling access corporate data while eating in a restaurant, waiting for flight at the airport or even while stuck on underground trains.
In order to save companies from being forced to constantly invest in the latest and sleekest digital toys, staff were too often encouraged to use their own smartphones and tablets to access corporate data communications. Misguided cost-cutting bring-your-own-devices-to-work (BYOD) policies further blurred the line between corporate and personal data access.
Today’s company information security officers (CISO’s) frequently have dark shadows under their eyes, hunted expressions on their faces and can often be heard mumbling phrases such as “herding cats” and “putting the genie back in the bottle” as they confront the impossibility of securing thousands of online devices and training staff to exercise caution while socialising on Facebook or LinkedIn. They are told that the Internet of Things (IoT) will represent a new “challenge” as they are forced to secure security cameras, “smart” watches and a growing array of previously unconnected devices to prevent their being used as back doors into the corporate network by hackers.
What is now needed is a new focus on threat management and detection capabilities that would help monitor previously invisible fragments of the security workflow and thus provide a new holistic approach on cyber intelligence. One example is “Swordfish”, a platform created by Obrela Security Industries, which aims to integrate and embed cyber security measures into standard business processes, providing business leaders with visibility of the company’s security posture on a real-time mode.
Organisations must now accept that the laissez-faire approach of “always-on” staff and BYOD are over and must learn from the kind of nightmares recently experienced by organisations ranging from Talk Talk to the NHS.
An organisation should begin with defining their exposure level and then act accordingly. The first step should be to make a full inventory of all devices that are connected to the corporate network. This should be followed by a second inventory of all the software running on these devices - authorised and unauthorised. After ensuring compliance with international best practices and regulations, strict control of administrative privileges must be enforced; ensuring staff do not download their own software for whatever reason without clearance. There must also be secure configurations for firewalls, routers, switches and computer systems.
Email, browser and social media applications should have their security features turned on. The improvement of your company’s threat management with multiple layers of detection and prevention would contribute to cyber security situational awareness and real time operational visibility. Regular Red Team Penetration tests that simulate real-world attacks to evaluate the effectiveness of your security defenses and policies in the real world should be carried out.
Back-up data must also be stored offsite where possible or, in the case of smaller organisations, on hard drives kept in a fire-proof safe. At the moment, too many SME’s store their most valuable data on office servers in a single location which is vulnerable to theft or fire, potentially destroying their entire business overnight.
While it may be impractical for the cyber security industry to execute an immediate U-turn and return to the days of highly secured data centres and machine rooms, organisations must start to understand that there is not and never will be an off-the-shelf solution to cyber security and that constant vigilance together with strict security procedures that must be built from the inside out must form part of the company’s everyday modus operandi.
Ian Cook is CEO and Founder of Corbels Security Services and has 35 years of experience in advising businesses in their strategic decisions including Saudi American Bank, Citigroup, Merrill Lynch, Team Cymru, and numerous technology start-ups. He is also mentor at Cyber London (CyLon): Europe's first cyber security accelerator; and at HutZero: the UK's first cybersecurity bootcamp.