The State of Cybersecurity: Simplicity is the Ultimate Sophistication

2018 was, for those of us following the state of cybersecurity, a year of extremes. We had the good, the bad and the ugly, with laws made, defences breached, and records leaked. In fact, more than 3 billion records were compromised in just the first six months.

The good came in the form of the new Privacy Amendment (Notifiable Data Breaches) Act 2017 in Australia in February, along with the European Union’s General Data Protection Regulation (GDPR) legislation. Countries around the world, including the USA, Canada and Singapore introduced similar laws, requiring data breaches to be disclosed to those affected and to authorities. Interestingly, Brazil even called theirs the General Data Protection Law – GDPL.

The bad, of course, was the breaches themselves. From Marriott Starwood’s 500 million records, to HR organisation PageUp’s breach affecting jobseekers for organisations like Australia Post, a massive amount of people endured a painful introduction to the realities of cybercrime. The biggest headlines, though, were reserved for the Cambridge Analytica situation, in which a whistle-blower exposed the company’s use of swathes of information about Facebook users in a manner alleged to influence the US presidential election. This started as a project “This Is Your Digital Life” which 270K people voluntarily filled in, but it harvested data from their “friends”, on an average of 322 for over 87 Million records. Click here to read more about the above and other notorious cyberattacks of 2018.

If that wasn’t ugly enough, then there’s the lawsuits. A firm of Sydney lawyers launched a class action against the IT firm doing services for NSW Ambulance, after a malicious insider sold sensitive user information on the dark web. Lawsuits also commenced against British Airways and against UK supermarket Morrison’s. While the laws are a positive, the question remains about whether organisations will hide things rather than face the €20million penalty (or 4% of global turnover, whichever is greater) possible under the GDPR, or the more modest yet still painful $2.1 million under Australian laws? That’s just for businesses. Individuals are also face up to $400K fines. Another interesting difference between NDB and GDPR is we have 30 days to report; where the EU has only 72 hours.

The Five Big IT Security Mistakes

What these new laws should do is make organisations think very carefully about where they go next with security. After performing 31 IT security assessments in 2018, ranging from vulnerability assessments to penetration tests, a consistent pattern emerged. I was able to bring this together into five things:

1. Layers. It is easy to think that the more complex an environment, the harder it is to compromise. We need to look at the equation the other way around: the harder it is to compromise, the harder it is to use. When working in a complex environment, with users carrying multiple devices in many locations, perhaps with data centres around the world, and security risk caused by complexity is answered by adding more layers, what could possibly go wrong?

I think we can all agree that things are complex enough. In pursuit of digital transformation, remember one thing – simplicity is greater than complexity. Adding layers isn’t the answer.

2. Integration. As a result of those layers, integration challenges emerge. Not all vendors’ technologies work well together, although to be fair, they’re getting better. However, most data centres are an intricate balance of workarounds to counter lack of integration.

3. Visibility. The layers lead to integration problems, which lead to a lack of visibility, and it is unlikely you’ll be able to detect a threat you can’t see. This increases time to detection. Almost without exception, the indicators of compromise are present in every system that is breached long before it occurs and even longer before it is reported. Threat actors have ample opportunity to “set up shop” right under the system owners noses. A hacker could be in an organisation’s systems for weeks or even months, but a skilled hacker can wreak havoc in a few hours. With poor visibility, will you ever know where the hacker has been in your systems, or what they have done?

4. Human error. With poor integration resulting in a lack of visibility, IT staff may have to make decisions based on data that is inadequate, incomplete, or just plain wrong. This complexity makes a fertile environment for mistakes, with rash decisions being almost inevitable. Poor visibility breeds errors.

5. Environment. Complex systems have emerged as a result of poor integration. Much like the gambler chasing his losses, the organisation may have invested considerable dollars, people and time into its complex environment, so it is hard to just walk away. Instead, unnecessary complexity is answered by just keeping digging a bigger hole into which the dollars are poured.

Simple, Sophisticated IT Security

So, how do we achieve sophistication through simplicity? In part, it may be in the way we view those words. Instead of seeing simplicity as weak, we should see it as clean and straightforward, transparent and smooth. Instead of sophistication representing the notion of complexity and elitism, we should pare it back to its true meaning of mature, refined and practical.

If businesses are to achieve strong security, they must transform, and before that, they must take stock. There are some key steps that must be taken if organisations are to avoid repeating the same mistakes:

Assessments. Knowing the current situation, with a thorough investigation of vulnerabilities and risk assessment, provides a solid starting point.

Reduce layers. Most organisations can do more with what they already have. To give an example, if you have a firewall capable of several additional functions, let it do them, so you can repurpose or recycle, or not buy, the extra equipment you would otherwise need.

Integration. Look for solutions that work together. That isn’t as simple as it sounds, but identifying compatible vendors saves a lot of frustration later.

Visibility. Much like the environmental message of reduce, re-use, recycle, in IT we can cut back on layers, re-use equipment, and recycle what is no longer necessary, so that we have a clearer view of our environment.

Reduce human error. When you give people the right tools and systems, they will do the right thing and make better choices. If errors are born of poor visibility, then creating greater clarity and reducing complexity will greatly improve accuracy.

Getting the right people to help you on your journey will mean you know the right questions to ask about IT security, leading to the right answers to suit your unique circumstances. Wherever you are on that path, if you need guidance to avoid more of the same, contact me, follow me on LinkedIn, or download our Essential Eight eBook.

Tags: Cyberattack, Cybercrime, JuiceIT, JuiceIT 2019, Security



Information protection in an age of information theft

Managing and safeguarding data across various apps, clouds, and endpoints is an uphill battle. It’s led to organisations relying on…

Customer Story: Knight Frank

Cloud Transition an Azure Success Story for Knight Frank Download Customer Story Contact a Specialist Objective…

3CX Desktop App Critical Vulnerability Alert

The Australian Cyber Security Centre has issued a warning about a new supply chain attack that has targeted a…

Managed Services eBook
Your guide to Data#3 Managed Services

Digital disruption is causing significant changes in the workplace, leading to higher expectations for access, security, and support regardless of…

JuiceIT Guest Blog | How XDR can help when time is of the essence

The only thing worse than cyber threats is an inability to detect those threats in time. Organisations need the…

JuiceIT Guest Blog | Veeam Platform: Reliable and Fast Recovery from Ransomware in a Hybrid World.

Ransomware attacks have become a growing concern for organisations of all sizes in Australia and New Zealand, resulting in significant…

Customer Story: Pernod Ricard Winemakers

Azure Migration gives Pernod Ricard Greater Flexibility and Improved Performance Download Customer Story Contact a Specialist…

Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…