This second article focusses on another core topic of the Digital Transformation Expo in London: cyber security. Like the previous article, the text below is my personal interpretation of the sessions I attended, so not necessarily completely factually correct. The key take-away for me: cyber security and defense is primarily about people, not about technology and processes.
It’s all About the User
There were dozens of vendors present selling solutions dedicated to hardening applications and the underpinning (cloud-based) infrastructure. According to Gartner, companies and governments will spend an estimated $124 billion on information security products and services in 2019, an increase of almost 9 percent compared to 2018. That is an amount similar to the GDP of Ukraine in 2018.
So, the question is warranted whether that money is well spent.
The sobering news according to Verizon’s 2019 Data Breach Investigations report is that 81 percent of the confirmed data breaches involved weak, stolen or default passwords. Regardless whether the data is hosted in a) the companies’ own datacenter, b) by an external service provider or c) in the cloud (e.g. AWS, Azure, Google), most serious attacks start with collecting user data.
By the way, with ‘user’ I mean anybody from the CFO, intern, developer, supplier, contractor or customer who has in one way or another access to part of your restricted or confidential data (see illustration).
During the expo, several red team engineers demonstrated how publicly available data, data and tools available for sale on the ‘dark web’ and weaknesses in the application and/or infrastructure can be combined to slowly but surely enter your IT environment. Every internet-facing interface (e.g. Outlook web, active directory federation services, self-hosted Lync servers, web VPN interfaces) provides The Bad Guys with an ‘attack surface’ to turn snippets of user data into access to the companies’ IT environment.
The user is the most successful attack vector, not technology.
A Bigger Wall is Not the Answer
Hence, building bigger virtual walls around your data should not be your sole objective. It is equally important to be safe to fail. Like the Maginot Line failed to keep the Germans out in WWII, companies have to assume their fortifications and obstacles will one day be circumvented by an attacker.
Also similar to the Maginot Line is the need for an uninterrupted flow across borders for ‘non-combatants’. Customers, business partners, suppliers and users expect a frictionless user experience and, in the process, ensure part of your data already left your premises. Slack, Teams, Dropbox, Box, OneDrive, public email (e.g. Gmail) and other collaboration tools ensure some restricted and confidential data leaves your company and consequently your control. Even worse, who prevents your business partner or supplier from storing data you consider confidential on a non-encrypted USB stick or laptop?
As said, you can ‘harden’ your own devices (e.g. encryption, two-factor-authentication (2FA), password policies) until your users pull their hairs out in frustration, but one day sensitive information will slip through.
As you cannot reduce your cyber risk profile to zero, what can you do?
Business Value Drives Cyber Defense Approach
All data is equal, but some data is more equal than others. Customer data, intellectual property, employee payroll data and passwords are valuable corporate assets, not mere ‘data.’ For starters, this implies that it is the business and not IT which should be in the lead when classifying data. The business knows the context and thus value of your documents, emails, presentations and other data points. Secondly, data protection is more than GDPR compliance as your product designs, chemical recipes, source code, customer contracts and cost structure may be more valuable than the reputation damage and fines related to a breach of Personally Identifiable Information (PII).
Hence, when defining your cyber defense approach, look beyond GDPR compliance (and other regulations).
With the value of your data driving your cyber defense approach, data classified as ‘key company asset’ should be under strict centralized business and IT governance. You preferably also don’t want this data to reside in multiple, geographically distributed data centers, or hosted by different public cloud providers, as each has its own cyber defense do’s and don’ts. Experimenting with different technologies, cloud providers and so on is crucial from an innovation perspective, but not so much when safeguarding your golden eggs. With the latter you want to invest in specialists with deep skill sets instead of generalists.
For key data assets, users are more likely to accept that they have to jump through additional burning hoops to access the data even though user experience remains important as users will find ways to circumvent the controls if they are perceived as unreasonably restrictive. And let’s not forget: a product design or other piece of intellectual property has value only when you can actually use it. Risk is only one side of the coin, the other is benefits (e.g. more revenue, margin or customers). A fact often overlooked by the CISO and other risk management professionals when designing a risk mitigation approach they consider appropriate.
Talking about user experience, another topic covered in London was the end of the password (hooray!). While counterintuitive, passwordless authentication eliminates one important weakness: weak passwords, passwords on Post Its, passwords stored as documents on the desktop and so on. Biometric authentication, pattern-based one-time passwords, tokens or single-step 2FA are solutions gaining traction for data with medium value.
Value should not only drive user experience, but your whole cyber defense approach as depicted in the illustration below. Both at industry level and business line/process level, every company should make a conscious decision what the integral cyber defense maturity should be. Full-blown Security Operations Centers (SOC), Cloud Access Security Brokers (CASB) and Red Teaming are expensive as are company-wide two factor authentication and security segmentation at application level (‘micro segmentation’). They require a solid business case.
Expect other cyber defense practices, like the Zero Trust Model, to enter mainstream adoption soon regardless of the industry the company is in as it is all but impossible to distinguish between internal and external users. Suppliers, contractors, customers and students need access to some data but not to others with devices you may or may not know. And let’s not forget the impact of Artificial Intelligence as The Bad Guys already embraced it.
Artificial Intelligence to the Rescue?
As mentioned in my first article on the visit of the Digital Transformation Expo in London, Artificial Intelligence is going to cause serious waves in the years to come. Attackers will turn to AI to automate their attacks and make them more complex (e.g. deep fakes, social media manipulation). At the same time, concepts like Smart Cities, Smart Medical Devices, Smart Building and the Internet of Things (IoT) in general will dramatically expand the number of targets and attack vectors. Combined, they leave companies with little choice but to invest in AI-based cyber defense mechanisms. Due to their nature, AI systems can scale more easily than humans can to cope with the growth in number and diversity of smart devices. AI not humans can detect new unknown patterns in millions of data points, countering the bad guys who use AI to help them evade detection.
In other words, the same cat and mouse game continues.