The days of only worrying about a handful of nosey hackers wanting to snoop around are long gone. Nowadays, the bad guys are a lot more threatening. They will steal sensitive data and threaten to release it, load ransomware onto the network and hold systems 'hostage'. They're also not beyond searching out important information and passing it on to a competitor. This roundtable looks at how businesses must adapt to a more threatening IT environment.
When it comes to IT security, it seems you can do everything right and still get caught out. Is it time to accept that breaches will happen?
Tim Quintal, senior product manager: cyber resilience, Internet Solutions (IS): If there are attackers who are sufficiently motivated, and who have enough resources, they will get in no matter what you have in place. This is why we are moving from talking 'cyber security' with our clients to talking 'cyber resilience'. Cyber resilience is where we don't just look at security, but also at things like disaster recovery, which will help you recover quickly from an attack. Ultimately, we prepare a company for a worst-case scenario. It's no longer just a case of saying you need antivirus and a firewall. You do need those, but also a whole lot more.
Yolande Kruger, associate director, Deloitte: We are taking a similar approach. We tell our clients that it's not a matter of if but when. The 'response part' of dealing with an attack is the most critical. It's how quickly you can get back to business as usual.
I just want to add, though we have the tools to fend off external attacks, the biggest threat comes from users inside the company. For instance, I have a colleague who once told me, 'If it's nice and shiny, and looks like a Huisgenoot recipe, I'll click on it'. This kind of behaviour is a threat for all organisations.
Pieter Nel, regional manager - SADC, Sophos: From a vendor perspective, I just want to say that although enterprises have the resources to put in place sophisticated security frameworks, small and medium-sized businesses can't afford to do so. This is a problem. A lot of smaller companies could close down because they won't be able pay the fine for non-compliance under PoPI or afford to put in place the necessary IT security framework.
Christo van Staden, regional manager: Sub-Saharan Africa, Forcepoint: What I a hearing around the room is basically an acknowledgement that we are going to be attacked. As an industry, we have to ask ourselves, are we doing the right things, considering the trillions of dollars we have taken from our clients and the lack of progress we've made?
For me, it's not about asking whether a customer is going to be attacked; rather, we should ask, isn't it time for a paradigm shift in how we approach IT security? The way I see it, we need to focus on the 'human element', and also on how to safeguard data. These are the constants in all attacks.
We need to pivot away from protecting infrastructure, operating systems and online identities to protect what matters most - data.
Jeremy Matthews, regional manager, Panda Security: From what I've seen, security spend has been neglected. A lot of investment has been made in perimeter security, but somehow the move towards cloud computing and other types of emerging tech trends has left IT security behind. This means security is in some part dependent on slightly improved 1990s antivirus.
Antivirus is of little use when the biggest threats aren't coming from viruses but from hackers and internal attacks. These kinds of threats mean we have to go from a defensive, where you wait to be attacked, to a threat-hunting approach, where you go out and look for vulnerabilities and breaches.
You have to be ahead of the game. You have to be proactive.
Tallen Harmsen, head of cyber security, IndigoCube: I like what I'm hearing here, but I think we should look at the 'Carter Model', where there's a big focus on adaption. This model begins with detection, but also looks at predicating where the next attack will be.
We need to pivot away from protecting infrastructure, operating systems and online identities to protect what matters most - data.Christo van Staden, Forcepoint
Roy Alves, country manager, MEA, Axis Communications: I just want to make the point that educating users is also very important. We make security IP cameras, and historically, they have used a separate network to the corporate network. These cameras are now moved onto the corporate network, which is opening up a lot of opportunities. Retailers, for instance, are able to track the gender and even the moods of their customers.
The problem with these 'smart cameras' is that they have become a point of vulnerability because many of them are still set with default user name and passwords.
Companies are spending an enormous amount on things like firewalls, but it's an endpoint device like these cameras that is leaving them vulnerable.
Christo van Staden, Forcepoint: I want to back up that point: 86% of all compromises happen on the back of compromised credentials. We live in an era where privacy is an illusion. Facebook, Twitter and the like know more about your staff than you will ever know.
Henk Olivier, MD, Ozone Information Technology: I agree that education for the user as well as the business is important, but from what I've seen, people are also recognising the importance off the security tools used to deal with cyber threats. These tools provide visibility over networks and help localise threats.
Christo van Staden, Forcepoint: I agree with Henk, but we also have to have the correct tools and know how to use them. How many businesses have figured out what their objectives are before selecting a security tool? This is why they pick the wrong one.
On top of this, they also have to deal with the range of information created by these different tools. If you speak to a CIO today, one of their biggest security problems is monitoring and assessing the importance of all the alerts coming from these tools. If you don't know what you want to achieve with a tool, rather not buy it. Take a step back and figure out what you want first.
From what I'm hearing, we have to have broader imagination from where attacks can come from.
Jeremy Matthews, Panda Security: We keep talking about reaction. We have to be more proactive. It's the difference between not letting people into the building because they don't have an access card, versus going outside the building and checking if someone can climb up the drainpipe, or going onto the roof and checking for footprints.
I think the importance of security can be seen in who we are having conversations with. Before it was with the IT manager, but now it has shifted to the C-suite.Tim Quintal, Internet Solutions
Roy Alves, Axis Communications: We have taken a proactive approach by having sensors put on some of our cameras, allowing us to detect if they are being interfered with. You would not believe how many crimes have been prevented by us putting these sensors in place. This is what we should be doing in the digital world.
Tallen Harmsen, IndigoCube: I agree with you. Sending someone an alert can make a big difference. We are working with one of the big banks and we tested a messaging service that warned users they were being monitored. They were not being monitored, but the users did not know that. Even so, it stopped many of them from doing questionable activity, and led to a 50% drop in insider theft.
Do we take IT security as seriously as we take physical security?
Tim Quintal, IS: I think the importance of security can be seen in who we are having conversations with. Before, it was with the IT manager, but now, it has shifted to the C-suite.
Executives understand the dangers of reputational damage that comes with a breach, as well as the possible theft of intellectual property.
I know IT security is being taken more seriously because I've seen an increase in the budget allocated to it. This is very different from a few years ago, where most companies just had a firewall in place and hoped it could do the job.
What we as security professionals need to do is translate a very technical discussion into a business discussion, so they understand what decisions they need to make.Yolande Kruger, Deloitte
Saying this, physical and IT security go hand in hand. If someone can get access to your network, it doesn't matter how many millions you have spent on IT security.
Tallen Harmsen, IndigoCube: I think you should change the question. You should be asking, 'Is IT security and physical security treated separately?' There are still large enterprises out there that are not linking up their cyber security with their physical security. Companies should link them together, as it will enable them to have a proactive security framework.
Christo van Staden, Forcepoint: We employ technology that analysis user behaviour. Whereas the majority of tech only looks at logging data, with our technology, we are able to spot suspect behaviour using various bits of data. Employees' HR performance scores can be matched to what sensitive information they have tried to access, and if they sent their CV out via email. If an employee has 'negative sentiment', it can be flagged as a threat and they can be monitored more closely.
Pieter Nel, Sophos: I totally agree with you. Our technology has also changed to tracking user behaviour. We had to evolve because hackers have evolved. This has seen us turn to machine learning to track user behaviour. We use it to try to find the riskiest users in an organisation. The goal is not to get them fired, but rather to educate them on possible threats.
Does the C-suite 'get it' when it comes to understanding the threat?
Jeremy Matthews, Panda Security: You can't make a blanket statement, but those that trade with European companies know they have to abide by EU data protection legislation.
The difficulty is that they have to deal with 'unstructured data,' like banking details and ID numbers, which are sitting in PDFs and Word documents. There's a real requirement to deal with this, as they pose a regulatory and security risk.
Yolande Kruger, Deloitte: We have certainly seen an increase in interest from the C-suite as well as from the board. What we as security professionals need to do is translate a very technical discussion into a business discussion, so they understand what decisions they need to make.
This article was first published in the September 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.