Enterprise security: 'the fashion industry at work'?

Industry insiders comment on the findings of Computing's latest security research

The recent Computing Enterprise Security Review looked at the areas of most concern to businesses and public sector bodies large and small, how they are responding and what they are looking for from the cyber security industry.

Three leading figures from that industry have come back with their thoughts on the report and the picture it paints of enterprise security in 2017.

Data governance

Among the large companies polled, data governance ranked as a high priority. It featured particularly strongly in heavily regulated industries such as finance, education, health and the public sector.

Data governance is a vital component of data security. Firms need to know where their data is, how many copies exist, how it is encrypted and stored where it is transferred, who has access rights, and so on.

Darron Gibbard, chief technical security officer at Qualys and ex-head of enterprise risk and information security services at Visa Europe, said that lax governance can make it easy for attackers.

"Poor management of existing assets can be one of the biggest routes for malware into businesses," said Gibbard (left).

"For 2017, getting all businesses to know what assets they have may seem like a simple first step in solving this, but it is necessary if companies are going to improve their approaches to security in the future."

GDPR

Data governance also underpins the top concern for large organisations: compliance with regulations such as the EU General Data Protection Regulation (GDPR), which becomes law across the EU in 2018 and which will apply to all companies trading with EU countries. However, compliance was only third on the list for smaller firms.

We reasoned that the discrepancy had a lot to do with the difficulty that large distributed organisations face in tracking down data shoring up systems to make sure they will be compliant. Bob Mann, principal consultant for Jirasek Security, agreed that large firms may have underestimated the task ahead.

"From the report's findings, and my own experience, organisations have either no, little or poor asset inventory data covering hardware, software and data, especially when it comes to personal information collected on customers," he said, urging companies to begin the auditing process as soon as possible.

"Start, without delay, scanning your ICT infrastructure. Identify your hardware, software and data assets, and ensure you have the right expertise to remediate effectively to ensure that you meet the prescriptive GDPR requirements," he advised.

Mann (right) went on to warn that the EU is likely to make some early examples of transgressors to show it means

business. With possible fines of up to four per cent of global turnover, non-compliance could prove very costly.

"Fines may become a money maker for the EU, so UK data controllers and processors will have to beware," he said.

Disaster recovery

Disaster recovery is a priority for both smaller and larger companies. With downtime increasingly unacceptable, businesses need to plan for what to do should the worst happen. But Mann was surprised by a lack of specific coverage of incident management.

"This is surprising to me, as better management of incidents can have a direct impact on how well companies can respond to security and disaster events alike, he said.

Another surprise, according to Mann, was a lack of emphasis on building security into the project management and application development lifecycles.

"As web apps remain the primary vector for cyber attacks, getting more understanding of security into ongoing IT management would have a direct and beneficial impact over time," he said, adding that the burden of safety should be shared.

"Everyone should be responsible for security, not just the IT security team," said Mann.

Ransomware

Ransomware really hit the big time last year, with attackers turning their attention from individuals to businesses and public sector organisations such as schools and health services. The takings from each individual ransom paid are may be small at £100 or so (although there have been reports of much higher demands), but the probability of arrest is very low, making it an attractive money-making option for the criminal fraternity. There are even ‘helpdesks' set up by the criminals to walk victims through the process of procuring bitcoin, the cyber extortionist's currency of choice.

Enterprise security: 'the fashion industry at work'?

Industry insiders comment on the findings of Computing's latest security research

The disruption that ransomware can wreak (hospitals networks have been hit, for example) explains why a quarter of those polled said they were more likely than not to pay up if attacked: it may be seen as the lesser of two evils. Before they do the attacker's bidding, however, they would be advised to check their options, according to Paul Simmonds, CEO of the Global Identity Foundation.

"There seems to be a widespread ignorance of the industry efforts to create free decryption tools," he commented. Indeed a quick internet search reveals that many cyber security vendors offer such tools. Perhaps the industry as a whole should be doing more to publicise them.

New solutions

Artificial intelligence and machine learning are all the rage, nowhere more so than in the security sphere. The promise is that systems are trained what normal network activity looks like and to flag anything that looks suspicious.

However, Simmonds (pictured) was disparaging about some of the claims made for machine learning.

"This is the fashion industry at work," he said, adding that he was "saddened" that the industry appears to focused on new solutions rather than emphasising best practice.

"There's still no mention of aligning security to business risk appetite, and no mention of adaptive access controls to transactional risk," he said.

Isolating data and applications through containerisation was mentioned by 30 per cent as a growth area. Containerisation has some real advantages - and not just ones related to security. Containers can also be spun up in seconds and, unlike virtual machines, contain all the dependencies an application needs.

"There's a huge amount of potential value in new technologies like containerisation," Gibbard said. "However, these new options don't become secure on their own. Putting strong security processes and base level image management into place can help."

He continued: "More importantly, security should be built into each infrastructure platform by design. From company-wide platforms like cloud deployments or internal data centres through to individual desktops and laptops, security should be planned into all IT by design."

Mann added that containerisation may be helpful in fencing off secure infrastructure zones in the same way as CISOs often create secure data zones, protecting against intrusion and limiting the impact of an attack by segmenting the infrastructure. However, in practical terms, this approach is still fairly new.

"The impact of containerisation on how IT security teams build out and manage these secure zones will have to be seen over time," he said.