When it comes to cyber security separating fact from fiction is never as easy as it seems. Given the hysterics many security software vendors are prone to it’s easy to see why many a pertinent point is often lost in the noise. While this noise will no doubt ring louder in 2013 there are a few things that organisations can do for their own peace of mind. Staying safe in 2013 will need a lot more than implementing the latest software and will require an important shift in thinking.
The one thing we can be sure of is that the threat landscape in 2013 isn’t going to be drastically different from what we have seen this year. Hacktivism may have been a novelty in 2011 but the trend is here to stay. The sophistication on display by hackers will continue to sharpen and from BYOD to hybrid cloud the number of conduits allowing them entry into a network will continue to expand.
Faced with such a scenario, technology consulting firm BAE Systems Detica’s head of strategic programs David Owen says that companies need to make a strategic shift in their thinking from ‘prevention’ to ‘minimising harm.’
The predisposition to keep everything under lock and key is a one dimensional approach to a multi-faceted problem and eventually a futile endeavour. Owen suggests that organisations are better off concentrating on minimising the ‘dwell time’ and the impact of potential compromises.
“This requires a real change in thinking and currently, investment and threat are not aligned,” Owen says.
The skills crisis
So companies need to re-align their focus on achieving resilience but their willingness to make the jump is somewhat hampered by an ongoing skill shortage in the information security. According to Owen, not only are the existing ranks thin on the ground but many working in the area don’t always have the necessary skills required at the level required.
“While we have plenty of fancy toolsets, we don’t have the necessary skills to get the most out of them,” Owen says.
“Many security teams need an urgent upgrade and lifting general knowledge across the board is critically important,”
The skills problem is firstly exasperated by the limited formal education available and further compounded by the breakneck speed at which the industry is moving. Addressing this skills crisis needs to be a key priority in 2013, says Owen, with a need for investment at a national policy level.
A step ahead of the game
At the end of the day it’s this investment that will provide the necessary manpower for an environment where technology is already a generation ahead of the security controls it needs. The primary factor behind the shift is the rapid adoption of the mobile, social and BYOD trends across organisations. This in turn has led to a proliferation of data sources and the creation of extra entry points for attackers to exploit.
Despite their best intentions, end users are more often than not unable to defend themselves leaving their devices at the mercy of miscreants. One possible avenue when it comes to countering the threat is the implementation of protected enclaves. The idea essentially requires subdividing the internal network into protected areas through the use of firewalls, stringent admissions control protocol and VPNs.
Meanwhile, the increasing push to host network services on cloud platforms brings its own set of complexities and organisations need to be aware that the shift to the cloud doesn’t lull them into a false sense of complacency.
Owen suggests that organisations need to look for security features such as a high-end firewall and IDS when choosing a cloud provider.
“Also, make sure the provider undertakes regular security testing of the environment and that these results can be validated against your expectations. Also ensure that the security model fits with your enterprise security architecture,” Owen says.
The most important consideration for organisations is recognising which data needs to be protected and which services need to be hosted on the cloud. Owen warns that there is a temptation for some organisations to over commit just for ease of use and low cost. However, the issue of risk ownership must not be diminished by the move to the cloud.
“If it’s critical data then the risk profile needs to be carefully scrutinised and managed and the final decision comes down to value,” Owen says.
Risk visibility and data breaches
The number of high profile local data breaches in 2012 and the focus on viruses like Flame has highlighted that the threat landscape is only getting more diversified. However, Owen says that the intense attention generated by every incident means that risk visibility will continue to rise. The important thing to note is that cyber-threats have moved into the corporate and public domain and cyber-crime will be a persistent trans-national threat.
Locally, the ongoing mandatory breach notification debate should provide plenty of talking points in 2013. While there is a clear public appetite for such legislation the federal government has launched a discussion paper on the issue.
The proposed reform would see companies and other organisations forced to disclose to the public any instances of data loss and could also see a penalty introduced for companies that suffer a data breach.
According to Owen, the discussion should prove to be most enlightening, especially with regards to identifying a pragmatic solution that protects customers without imposing onerous demands on companies.
“The key thing to watch out for is how any legislation will designate what is a material breach and what is not,” Owen says.
“Most importantly, organisations will need to understand what impact a breach has on the individual and what impact it has on an organisation.”
It will be interesting to see how this misalignment of priority is resolved in the coming year.