The State of Cybersecurity: Simplicity is the Ultimate Sophistication

2018 was, for those of us following the state of cybersecurity, a year of extremes. We had the good, the bad and the ugly, with laws made, defences breached, and records leaked. In fact, more than 3 billion records were compromised in just the first six months.

The good came in the form of the new Privacy Amendment (Notifiable Data Breaches) Act 2017 in Australia in February, along with the European Union’s General Data Protection Regulation (GDPR) legislation. Countries around the world, including the USA, Canada and Singapore introduced similar laws, requiring data breaches to be disclosed to those affected and to authorities. Interestingly, Brazil even called theirs the General Data Protection Law – GDPL.

The bad, of course, was the breaches themselves. From Marriott Starwood’s 500 million records, to HR organisation PageUp’s breach affecting jobseekers for organisations like Australia Post, a massive amount of people endured a painful introduction to the realities of cybercrime. The biggest headlines, though, were reserved for the Cambridge Analytica situation, in which a whistle-blower exposed the company’s use of swathes of information about Facebook users in a manner alleged to influence the US presidential election. This started as a project “This Is Your Digital Life” which 270K people voluntarily filled in, but it harvested data from their “friends”, on an average of 322 for over 87 Million records. Click here to read more about the above and other notorious cyberattacks of 2018.

If that wasn’t ugly enough, then there’s the lawsuits. A firm of Sydney lawyers launched a class action against the IT firm doing services for NSW Ambulance, after a malicious insider sold sensitive user information on the dark web. Lawsuits also commenced against British Airways and against UK supermarket Morrison’s. While the laws are a positive, the question remains about whether organisations will hide things rather than face the €20million penalty (or 4% of global turnover, whichever is greater) possible under the GDPR, or the more modest yet still painful $2.1 million under Australian laws? That’s just for businesses. Individuals are also face up to $400K fines. Another interesting difference between NDB and GDPR is we have 30 days to report; where the EU has only 72 hours.

The Five Big IT Security Mistakes

What these new laws should do is make organisations think very carefully about where they go next with security. After performing 31 IT security assessments in 2018, ranging from vulnerability assessments to penetration tests, a consistent pattern emerged. I was able to bring this together into five things:

1. Layers. It is easy to think that the more complex an environment, the harder it is to compromise. We need to look at the equation the other way around: the harder it is to compromise, the harder it is to use. When working in a complex environment, with users carrying multiple devices in many locations, perhaps with data centres around the world, and security risk caused by complexity is answered by adding more layers, what could possibly go wrong?

I think we can all agree that things are complex enough. In pursuit of digital transformation, remember one thing – simplicity is greater than complexity. Adding layers isn’t the answer.

2. Integration. As a result of those layers, integration challenges emerge. Not all vendors’ technologies work well together, although to be fair, they’re getting better. However, most data centres are an intricate balance of workarounds to counter lack of integration.

3. Visibility. The layers lead to integration problems, which lead to a lack of visibility, and it is unlikely you’ll be able to detect a threat you can’t see. This increases time to detection. Almost without exception, the indicators of compromise are present in every system that is breached long before it occurs and even longer before it is reported. Threat actors have ample opportunity to “set up shop” right under the system owners noses. A hacker could be in an organisation’s systems for weeks or even months, but a skilled hacker can wreak havoc in a few hours. With poor visibility, will you ever know where the hacker has been in your systems, or what they have done?

4. Human error. With poor integration resulting in a lack of visibility, IT staff may have to make decisions based on data that is inadequate, incomplete, or just plain wrong. This complexity makes a fertile environment for mistakes, with rash decisions being almost inevitable. Poor visibility breeds errors.

5. Environment. Complex systems have emerged as a result of poor integration. Much like the gambler chasing his losses, the organisation may have invested considerable dollars, people and time into its complex environment, so it is hard to just walk away. Instead, unnecessary complexity is answered by just keeping digging a bigger hole into which the dollars are poured.

Simple, Sophisticated IT Security

So, how do we achieve sophistication through simplicity? In part, it may be in the way we view those words. Instead of seeing simplicity as weak, we should see it as clean and straightforward, transparent and smooth. Instead of sophistication representing the notion of complexity and elitism, we should pare it back to its true meaning of mature, refined and practical.

If businesses are to achieve strong security, they must transform, and before that, they must take stock. There are some key steps that must be taken if organisations are to avoid repeating the same mistakes:

Assessments. Knowing the current situation, with a thorough investigation of vulnerabilities and risk assessment, provides a solid starting point.

Reduce layers. Most organisations can do more with what they already have. To give an example, if you have a firewall capable of several additional functions, let it do them, so you can repurpose or recycle, or not buy, the extra equipment you would otherwise need.

Integration. Look for solutions that work together. That isn’t as simple as it sounds, but identifying compatible vendors saves a lot of frustration later.

Visibility. Much like the environmental message of reduce, re-use, recycle, in IT we can cut back on layers, re-use equipment, and recycle what is no longer necessary, so that we have a clearer view of our environment.

Reduce human error. When you give people the right tools and systems, they will do the right thing and make better choices. If errors are born of poor visibility, then creating greater clarity and reducing complexity will greatly improve accuracy.

Getting the right people to help you on your journey will mean you know the right questions to ask about IT security, leading to the right answers to suit your unique circumstances. Wherever you are on that path, if you need guidance to avoid more of the same, contact me, follow me on LinkedIn, or download our Essential Eight eBook.

Tags: Cyberattack, Cybercrime, JuiceIT, JuiceIT 2019, Security



Data#3 name Dell Technologies Top Performer Award
Data#3 named Dell Technologies Top Performer 2022 for Australia

September 12, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is delighted to announce that it has…

Smart spaces are changing the workplace
Will Smart Spaces Be a Game-Changer in Your Workplace?

Many elements of smart space technology were already theoretically possible, but integrating sensors and smart cameras, for example,…

Transform any space into a smart space
Smart Space Experience Guide

If there’s one thing that a global pandemic has shown, it is that those working with technology are masters…

ACSC Essential Eight Maturity Model: Multi-Factor Authentication
Essential Eight Maturity Model: Multi-Factor Authentication

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity…

Customer Story: Main Roads Western Australia

Main Roads Western Australia Boosts Visibility and Security with Microsoft Defender for Identity Solution from Data#3…

Customer Story: Hydro Tasmania

Hydro Tasmania seamlessly transitions to work from home across Australia Download Customer Story…

Making Computer Vision Accessible to Everyone

When we hear the word ‘camera’, we almost certainly think ‘picture’, and so it is that with CCTV…

Webinar: Data#3 Licensing Update and Microsoft 365 A5 Deep Dive
Data#3 Licensing Update and Microsoft 365 A5 Deep Dive

During the recent ISQ IT Managers forum, many schools expressed strong interest in a follow-up session on Microsoft 365…