2018 was, for those of us following the state of cybersecurity, a year of extremes. We had the good, the bad and the ugly, with laws made, defences breached, and records leaked. In fact, more than 3 billion records were compromised in just the first six months.
The good came in the form of the new Privacy Amendment (Notifiable Data Breaches) Act 2017 in Australia in February, along with the European Union’s General Data Protection Regulation (GDPR) legislation. Countries around the world, including the USA, Canada and Singapore introduced similar laws, requiring data breaches to be disclosed to those affected and to authorities. Interestingly, Brazil even called theirs the General Data Protection Law – GDPL.
The bad, of course, was the breaches themselves. From Marriott Starwood’s 500 million records, to HR organisation PageUp’s breach affecting jobseekers for organisations like Australia Post, a massive amount of people endured a painful introduction to the realities of cybercrime. The biggest headlines, though, were reserved for the Cambridge Analytica situation, in which a whistle-blower exposed the company’s use of swathes of information about Facebook users in a manner alleged to influence the US presidential election. This started as a project “This Is Your Digital Life” which 270K people voluntarily filled in, but it harvested data from their “friends”, on an average of 322 for over 87 Million records. Click here to read more about the above and other notorious cyberattacks of 2018.
If that wasn’t ugly enough, then there’s the lawsuits. A firm of Sydney lawyers launched a class action against the IT firm doing services for NSW Ambulance, after a malicious insider sold sensitive user information on the dark web. Lawsuits also commenced against British Airways and against UK supermarket Morrison’s. While the laws are a positive, the question remains about whether organisations will hide things rather than face the €20million penalty (or 4% of global turnover, whichever is greater) possible under the GDPR, or the more modest yet still painful $2.1 million under Australian laws? That’s just for businesses. Individuals are also face up to $400K fines. Another interesting difference between NDB and GDPR is we have 30 days to report; where the EU has only 72 hours.
The Five Big IT Security Mistakes
What these new laws should do is make organisations think very carefully about where they go next with security. After performing 31 IT security assessments in 2018, ranging from vulnerability assessments to penetration tests, a consistent pattern emerged. I was able to bring this together into five things:
1. Layers. It is easy to think that the more complex an environment, the harder it is to compromise. We need to look at the equation the other way around: the harder it is to compromise, the harder it is to use. When working in a complex environment, with users carrying multiple devices in many locations, perhaps with data centres around the world, and security risk caused by complexity is answered by adding more layers, what could possibly go wrong?
I think we can all agree that things are complex enough. In pursuit of digital transformation, remember one thing – simplicity is greater than complexity. Adding layers isn’t the answer.
2. Integration. As a result of those layers, integration challenges emerge. Not all vendors’ technologies work well together, although to be fair, they’re getting better. However, most data centres are an intricate balance of workarounds to counter lack of integration.
3. Visibility. The layers lead to integration problems, which lead to a lack of visibility, and it is unlikely you’ll be able to detect a threat you can’t see. This increases time to detection. Almost without exception, the indicators of compromise are present in every system that is breached long before it occurs and even longer before it is reported. Threat actors have ample opportunity to “set up shop” right under the system owners noses. A hacker could be in an organisation’s systems for weeks or even months, but a skilled hacker can wreak havoc in a few hours. With poor visibility, will you ever know where the hacker has been in your systems, or what they have done?
4. Human error. With poor integration resulting in a lack of visibility, IT staff may have to make decisions based on data that is inadequate, incomplete, or just plain wrong. This complexity makes a fertile environment for mistakes, with rash decisions being almost inevitable. Poor visibility breeds errors.
5. Environment. Complex systems have emerged as a result of poor integration. Much like the gambler chasing his losses, the organisation may have invested considerable dollars, people and time into its complex environment, so it is hard to just walk away. Instead, unnecessary complexity is answered by just keeping digging a bigger hole into which the dollars are poured.
Simple, Sophisticated IT Security
So, how do we achieve sophistication through simplicity? In part, it may be in the way we view those words. Instead of seeing simplicity as weak, we should see it as clean and straightforward, transparent and smooth. Instead of sophistication representing the notion of complexity and elitism, we should pare it back to its true meaning of mature, refined and practical.
If businesses are to achieve strong security, they must transform, and before that, they must take stock. There are some key steps that must be taken if organisations are to avoid repeating the same mistakes:
Assessments. Knowing the current situation, with a thorough investigation of vulnerabilities and risk assessment, provides a solid starting point.
Reduce layers. Most organisations can do more with what they already have. To give an example, if you have a firewall capable of several additional functions, let it do them, so you can repurpose or recycle, or not buy, the extra equipment you would otherwise need.
Integration. Look for solutions that work together. That isn’t as simple as it sounds, but identifying compatible vendors saves a lot of frustration later.
Visibility. Much like the environmental message of reduce, re-use, recycle, in IT we can cut back on layers, re-use equipment, and recycle what is no longer necessary, so that we have a clearer view of our environment.
Reduce human error. When you give people the right tools and systems, they will do the right thing and make better choices. If errors are born of poor visibility, then creating greater clarity and reducing complexity will greatly improve accuracy.
Getting the right people to help you on your journey will mean you know the right questions to ask about IT security, leading to the right answers to suit your unique circumstances. Wherever you are on that path, if you need guidance to avoid more of the same, contact me, follow me on LinkedIn, or download our Essential Eight eBook.