Integrating IT security at the board level
2014 has seen an upsurge in public awareness of cybercrime, with a flurry of high-profile security breaches hitting the headlines. The sensationalised coverage of the Heartbleed and Shellshock bugs struck fear into the hearts of businesses and consumers alike, while a cyber-attack to eBay led to the theft of around 145 million usernames and encrypted e-mail addresses, proving that an organisation is never too big to fall prey to cybercriminals. These breaches are not likely to subside anytime soon.
The problem remains, however, that risk is usually only managed at the board level once a major attack has taken place, which, besides being by far the most expensive way to resolve such problems, is neither logical nor sustainable. When US retailer Target was hit by a data breach, its profits fell by 46%. Cybercrime must be tackled from the top down in a proactive and strategic way in order to prevent such crippling financial and reputational damage from occurring on a regular basis.
Why are businesses still failing to implement efficient, functional IT security strategies? The issue is multifaceted, but there are several obvious barriers to the prevention of both targeted and opportunistic attacks. Overall, there is a need for a significant shift in business culture from regarding IT security as something “best left to the experts’ to something that permeates the heart of a company’s culture, including its policy and its people.
Effective IT security depends much less on technology than most managers might think – while investment in the right software is important, a lack of ownership over the potential for human error means companies are setting themselves up for eventual failure. “Having a secure network, though essential, is only part of an organisation’s ability to operate an effective IT security process. After all, any cyber-attack is born from a weak link in the security chain,” says Terry Greer-King, Director, Cyber Security, Cisco UKI. These “weak links’ can manifest in various forms, ranging from an employee’s benign ignorance of company IT policy to full-blown social engineering of employees by malicious outsiders.
“We are already seeing a movement from “hacking the computer” to “hacking the user,”, says Giovanni Vigna, CTO at Lastline. “This is because attackers always use the path of least resistance, and it is becoming easier to trick a user into installing malware than performing a remote compromise, especially in the case of targeted attacks. The best way to defend against this is user education, and the challenge is to make the concepts of deception and trust understandable to non-technical people.”
Indeed, many of the measures employed by well-meaning managers run counter to the way ordinary human beings actually think and behave. For example, long, randomly-generated passwords may be successful in confounding hackers, but the majority of people simply won’t be able to remember them, which leads to writing them down – thereby undermining the very concept of a secure password in the first place. “When people act inappropriately most organisations coordinate their response the same way they have for the last fifteen years: email, spreadsheets and ticketing systems. The proliferation of data, increasingly sophisticated attacks and mounting regulatory requirements have rendered these manual approaches completely ineffective. Important actions fall through the cracks and subject organisations to unnecessary risk,” adds John Bruce, CEO of Co3 Systems.
The unfortunate truth is, technology simply cannot protect companies against these very human problems – and outmoded ways of dealing with transgressions within organisations are no longer working. David Emm, Principal Security Researcher at Kaspersky, believes the first step in the right direction is to work with human nature rather than against it, and “demystify security issues, explaining them to staff in an easy to understand manner. This means varied forms of communication – written and verbal – as well as including the usual catalogue of do’s and don’ts for staff to follow.”
While humans are undoubtedly organisations’ weakest link, they can also provide a way to solve the problems they create through the analysis of available data, suggests Uri Rivner, VP Business Development and Cyber Strategy at BioCatch: “Creating a baseline of a user activity, their interactions, habits, choices and behaviour, is now achievable. Intruder detection, once in the realm of network and content analysis, will become a human analysis task instead. New technologies based on Big Data analytics and behind-the-scenes cognitive biometrics are paving the path to a new defence doctrine that will detect human actions, locate anomalies and analyse their risk in real-time.”
Ross Dyer, Technical Director, Trend Micro UK, adds, “Organisations will start to focus heavily on analytics that provide a view of security at any given moment and not just rely on yearly audits or pen tests. Understanding your posture at a given time is critical to being able to respond to threats, protect your sensitive data and meet compliance requirements.”
The threat from humans is nothing new, but recent technology has given rise to a new level of cyber risk, argues Uri Rivner: “State sponsored attackers have been penetrating thousands of targets in the last five years, and every major corporation should assume someone is already operating within their systems. But two other tidal waves have hit IT: mobility and cloud. Users bring their own devices, demand unlimited access, and will always seek the path of least security, because it’s typically also the path of least friction. Humans can’t be patched, easily fall for social engineering, and in 99% of external intrusions will be the gateway through which an attacker gains access into the network. They also pose an enormous insider threat.”
Rupert Clayson, Regional Sales Director UK & Ireland at Fortinet, adds, “In the era of APT, malware attacks are more subtle, intelligent and dangerous. These APTs are aided by the rapid uptake of new ways of working such as BYOD, social and collaboration tools, where users’ endpoints are also used for non-business use. This personal interaction with technology is increasingly the front line, and something as simple as a link on Facebook to an infected webpage can prove the entry point into an organisation’s network.”
However sophisticated a piece of IT security technology, the fight against cyber-crime is one where the attackers will, by default, always be a step ahead of the victims – meaning that even a multi-layered enterprise security system with patches religiously kept up to date will have a weakness somewhere that can be exploited. Gartner has estimated that on a typical corporate network, around one in 20 pieces of executable code is malware that has managed to escape all technical controls.
Policy and strategy
Perhaps it is the sheer speed at which the level of device connectivity has exploded throughout the IT world, or maybe it is down to the commodification of hacking tools being too widespread for top-level management to keep up with, but intelligent integration of IT security within organisations is sorely lacking in the face of so many threats. Many companies purport to have taken all necessary measures to prevent a breach, when in fact most of them have simply bought expensive new software without taking a strategic, nuanced approach to protecting themselves.
Kurt Glazemakers, SVP Product Strategy at Cryptzone, sums up the current disparity between reality and the realm of electronic communications: “At the moment, the way information security is applied is vastly different from what happens in the real world. Imagine this scenario – someone arrives at the front door, waving an ID card that they’ve picked up off the street and no-one compares it against their physical appearance before letting them through. Having successfully gained access, would the imposter then be allowed to open all cupboards and rifle through drawers, even in areas where they really should be, challenged?”
Prioritising which critical assets deserve the most vigilant protection is a far more worthwhile endeavour for managers than trying to defend against every single threat. Like a shopkeeper who keeps his most valuable products in locked glass cabinets where he can see them – and accepts that schoolchildren may shoplift packets of chewing gum – the approach to cyber security must be flexible, practical and based in reality rather than idealism. Ifeanyi Nwabueze, Technical Consultant at F-Secure, describes this mind-set as “managing the network assets in a state of “presumed breach”” – that is, accepting that a breach will probably happen at some point, understanding the realities of the threat, and anticipating what will be needed to neutralise it.
Resourcing must play a key part in a good security strategy, but a lack of available talent still poses a challenge to management, says Thomas Owen, Security Manager at Memset. “There are far more security-focused jobs than people. That’s why it’s important to back the people up with an automation and data aggregation framework to act as a force multiplier. A few key security hires can have a disproportionate impact.” “For organisations that can afford to, hire an Information Security Manager or an Information Security Management Service Provider,” advises Ifeanyi Nwabueze.
Going forward, board level decisions regarding IT security may even need to extend to the recruitment process, complete with employee incentives, in order to place education about procedures, risks and consequences at the very heart of organisations. This measure, together with nuanced analysis of existing employee behaviours and learning from the patterns of previous security breaches to anticipate future problems.
Ultimately, however, human weakness will be nearly impossible to eradicate completely – “We are psychologically designed to be helpful, empathic, kind, communicative, merciful, all perfectly admirable qualities that can be used to model, predict and exploit behaviour” says Thomas Owen, Security Manager at Memset. “The spend required to audit and reconfigure a network is definable and can be related to the positive impact of the work, but it’s vastly more difficult to metricise an effort to “secure the human’.”