External threats might be what you read about most in the media, but internal inadvertent mistakes can cause as much harm for any organisation, according to industry experts.
“No longer can organisations choose one or the other; both the external attacks and internal users perpetuate an increased risk footing. Organisations need to have controls in place to protect their environments from data breach and loss, malicious or inadvertent,” says Shaun McLagan, GM for A/NZ at RSA
“When thinking of a data breach, what often comes to mind are outside attackers penetrating an organisation’s defense. Whilst this is typically the case, it’s important we remember a breach can come from anywhere and can start from an individual simply trying to get his/her job done. We’ve certainly seen a shift in 2013 in the causes of data breaches,” says Mark Shaw, technology strategist for security across the Pacific region at Symantec.
“A holistic approach to security requires a combination of technology, policies and employee education. The “human factor” of employees creates a huge security risk – both intentional and accidental,” says John Kendall, security program director at Unisys Asia Pacific.
“From an internal perspective, there are a number of actors that have elevated access to sensitive data and critical assets. Beyond employees there are B2B partners, consultants, contractors, interns, and the like. With many organisations still focused more on external threats rather than internal threats there exists an underinvestment in security controls that focus on users interacting with sensitive data, privileged user monitoring and data exfiltration to removable storage devices or cloud-based solutions,” says Brian Contos, VP and CISO ATP at Blue Coat Systems.
People in the mix
Much of the security lapses that take place in an internal environment can be addressed by educating users.
“Security needs to be a combination of people, process, and technology for it to work efficiently. Only focusing on the technology will not deliver the desired outcome on protecting an organisation's critical information,” says Colin James, head of security at Vodafone NZ.
Most internal lapses in security can be traced to inadvertent mistakes, simple lapses of memory and inconsistent practices. Some of these can be addressed and rectified by intelligent and continuous training and education across the organisation.
“There is no ‘silver bullet’ when it comes to security. Particularly in today’s dynamic environment, where new threats are being developed every day, which makes it increasingly difficult for organisations to protect against these growing attacks. While technology needs to be continually updated to ensure it can protect against the latest attacks, investment in processes and training people is critical,” says Dean Frye, technical director APJ at Sourcefire, a Cisco company.
“People are often the weakest link in cybersecurity. Consequently, it’s important for organisations to invest in educating and increasing awareness among staff to limit their ability to compromise network security. However, in saying this, even with education and training, organisations still need to expect the compromise to happen, and as a result need the right security tools that have the ability to spot malicious activities and deal with them quickly to mitigate the risk of serious data loss and compromise,” adds Frye.
Prevention and response
Whether internal or external, the way organisations deal with threats is no longer just about throwing more technology into the mix. It is about going back to strategy and working security into enterprise-wide processes.
“There are five key steps to enable organisations to minimise data theft or leakage and counteract threats. They are identifying information assets, assessing the sensitivity of those assets, determining what the threats are (eg., disclosure, modification, loss of services, theft), determining the impact of those threats against each assets and assessing the probability of such an impact occurring.
“With this knowledge a comprehensive risk assessment can be carried out,” states Gen-I’s head of security Greg Bickerton.
“The business technology landscape has evolved to allow external systems and devices to interact with internal, trusted applications. As such, the old security perimeter is non-existent. Access management must be the new virtual perimeter, powered by identity. Security monitoring and incident response is a core part of this, as organisations must account for the anomalous activity that occurs as a result of compromised trusted access to systems and applications,” says Martin Mooney, NZ country manager for Novell, NetIQ, SuSe and Attachmate.
"Educating employees is key to counteracting and defending against threats and thefts. This also has potential to impact the hiring of staff who will have access to sensitive data as part of their role. Vetting those staff appropriately assists in mitigating some key risks," says Matt Neale, software development manager at Estar Online.
"Further, by employing the principle of least privilege and access controls, you can ensure that staff only have access to data, systems and physical areas that they need to in order to perform their roles," Neale adds.
With increasing data threats on the horizon, coupled with the awareness that such occurrences can impact a business' reputation and credibility, organisations are increasingly starting to pay attention to the concept of resilience.
“Resilience is the realisation that breaches will happen and that organisations need to be able recover quickly and continue to operate,” says Kendall.
“Organisational resilience is extremely important in today’s security landscape. No longer is it a question of ‘if’ your organisation will be attacked, but rather ‘when’ and ‘how often’.
“Having security measures in place that limits the damage cyber attacks can have on businesses is critical. This includes ensuring your security solutions are continuously monitoring for attacks across the entire network. Taking a continuous approach to monitoring rather than point-in-time, enables attacks to be identified and remediated as quickly as possible. Further having retrospective security enables organisations to, in essence, go back in time to find where exactly the threat entered and stop it from spreading,” says Frye.
Some like Steven Pao, GM for the security business at Barracuda Networks believe resilience should not be instituted at the expense of speed.
“Resilience is important, but organisations should not pursue resilience at the expense of speed. The security landscape is rapidly evolving, and the acceptance of real-time protection and rapid response remains important to the equation. Our aim is to package speed and automated real-time response in a way that is easy for organisations to deploy without IT involvement,” he says.
However, most others in the industry believe that strategic understanding of resilience and its implementation organisation-wide long-term might prove to be the best measure for firms to deal with the threat landscape.
“Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business,” says Symantec’s Shaw.
“How businesses prepare for a breach is just as important as how you respond to one. For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage,” he adds.
Starting down the path of organisational resilience can take many shapes.
“Organisations must have basics like an incident management plan in place. This could be one they manage internally, or they could outsource it to organisations like Gen-I who can provide full incident and event management through a security operations centre, on behalf of our clients.
“Another contributor to organisational resilience is a security incident and event management system, as part of the organisations’ operational ICT systems. Appropriate failover capabilities must be in place, together with a ‘make good’ plan, which details how to restore from the incident in a failover situation. Implemented effectively, this will deliver a degree of resilience which should have minimal impact on end users and hence the organisation overall,” says Bickerton.
RSA’s McLagan says, “Resilience should dovetail into the business continuity and disaster recovery processes. Continuity and disaster recovery should additionally be streamlined to ensure your business can handle any threat, be it natural or technology based such as a denial of service attack. Having a single “pane of glass” for these processes is vital to ensuring that the complex task of starting back up is as smooth as possible.
“Operationalising the plan is the key to effective recoveries. A good resilience plan will clearly articulate an individual’s tasks and responsibilities and is vital to ensuring there are no single points of failure. This also optimises each individual’s skillsets to ensure fast recovery,” he states.
True resilience can help an organisation stand a better chance of expecting attacks better, protecting the right data with the right access controls, and coming out of in an effective, fast manner. As the security landscape continues to change, it may be time that NZ organisations – large and small – involve information security at the strategy level and plan for what some say is the inevitable – a lapse of security.
Tips from the industry to help with organisational resilience
Make security personal to your business – understand your business and how security can be built into your IT practices.
Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident.
Map your threats - Develop a map of the threat vectors holistically, not the individual threats.
Get executive and board engagement – cyber resilience starts at the top of the organisation.
Have a plan –Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what.
Institute a security architecture - Deploy technologies within a security architecture and develop the right strategies to manage those technologies
Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable.
Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management.
Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy.
Start small, but think big – Information protection is a long-term project, but organistaions need to start where they will add the most business value and then expand where there is further, long-term value.
Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor.
Prepare communication - Prepare response and communications plans in the event of incident
Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.