'Above all encrypt absolutely everything' - the industry's take on cyber security in 2018

The IT industry looks at the ramifications of Computing's latest security research

2017 was a rollercoaster of a year as far as cyber security was concerned, and our annual research programme, carried out in October and November, uncovered an unusual degree of anxiety over whether things will get better any time soon. The Computing Enterprise Security Review 2017 also offers pointers as to what we can expect to see this year. We asked three senior figures in the cloud security industry what they made of it.

"There's a definite feeling within the IT community that security is getting harder," said Rick Powles, senior VP EMEA at cloud backup specialist Druva, echoing the concerns of many we interviewed. From ransomware to IoT-powered DDoS to state-sponsored attacks, the extent and sophistication of the onslaught has been unprecedented.

Ransomware

If individual years have defining themes then for cyber security 2017 was the 'year of ransomware'. First WannaCry and then NotPetya arrived out of the blue leaving a trail of devastation and confusion in their wake. These two strains differed from previous generations of ransomware in that they actively and aggressively sought out new targets to infect using the NSA's leaked EternalBlue exploit and were thus able to spread very rapidly.

However, every crisis holds the seeds of opportunity. For security professionals tired of banging the same drum, these attacks at least delivered the shock required to rouse the boardroom and place a renewed focus on cybersecurity. The fact is, businesses quickly become blasé about threats, and once a Target or a TalkTalk has faded from the headlines it takes something very big, very menacing or very new to jolt them into action again.

"The WannaCry attack definitely made more people within companies sit up and take notice of what they are doing around security," said Darron Gibbard, managing director EMEA North at Qualys.

"I spoke with one customer who was mid-roll out when WannaCry struck, and the project went to the top of the priority list with full board support."

Ransomware puts pressure on companies to get their data management house in order, added Druva's Powles.

"Ransomware attacks themselves are increasing in quality, so there are fewer holes to exploit and recover data easily. Without a proper data management strategy in place - one that values information before it's no longer available - more companies will run the risk of having to pay both ransoms to get their data back and fines for poor security."

GDPR

Among the more surprising revelations was the relaxed (or possibly lackadaisical) approach being taken by many businesses to the EU GDPR legislation which comes into force in May. Working in IT media it's hard to recall a single day in the last couple of years without a GDPR announcement, press release, article or event coming our way so our view of its prominence is bound to be skewed. Nevertheless, more than 60 per cent of companies polled in November said they've only just started to prepare for the legislation - an extraordinarily high number considering the work that's likely to be involved.

It's possible that these businesses believe GDPR will not affect them, that the Information Commissioner's Office (ICO) will have too much on its plate to worry about their non-compliance, or that it's all something that has been overhyped by the consultancy industry. The first item excepted, they may have a point, however slight, but in view of the potential fines few would argue that it's wise to bet on slipping under the regulator's radar.

Another explanation for the apparent lack of action is that responsibility for compliance falls between various stools.

"I think this is partly due to GDPR being viewed as solely an IT problem, rather than one that will affect different areas of the business," said Gibbard.

"Getting agreement around how to handle customer records, how to manage them and how to deal with requests for that data from individuals will affect the legal, financial and operational sides just as much as IT."

Other firms may simply have underestimated the task ahead, particularly to locate and manage personal data as it exists across their network.

"Keeping track of all that data being created over time and in multiple places is a harder job than many give credit for," said Powles, adding: "I think a lot of companies are going to be in for a nasty surprise if they have not started preparing for GDPR already."

[Turn to next page]

'Above all encrypt absolutely everything' - the industry's take on cyber security in 2018

The IT industry looks at the ramifications of Computing's latest security research

The apparently low priority given to GDPR was all the more surprising in view of another key finding: that compliance is the top priority for many businesses in 2018 - the IT department included. In fact among large organisations compliance was the number one priority in IT departments.

George Gerchow, VP of security and compliance at Sumo Logic, believes that for many it has always been a problem to be dealt with this year.

"To me, it's no surprise that so many of the people interviewed have no real plan in place, but my guess is that changed as of this week, now that we are in 2018," he said.

"Over the past two days, I have been inundated with requests for GDPR information, how we are preparing, and what steps we have taken."

Commenting on the figure above, Powles welcomed the strong focus on compliance.

"It's good that IT teams are taking compliance seriously," he said. "The ICO guidance around GDPR is really clear - this is not set up to catch companies out, it's about treating customer records seriously and ascribing a value to them,"

Powles went on to say that compliance with GDPR should make it easier for all businesses to operate more efficiently when managing data, and should be considered an opportunity, not a chore.

The cyber skills gap

The shortage of cyber security skills has been an ongoing theme for some time. It emerged again in this year's research, particularly in the context of implementing multi-layered strength-in-depth defences - one of the most effective strategies for defending the organisation.

Part of the problem is that individual security tools and services don't always talk to each other. Improving this aspect could be a possible alternative to hiring expensive and hard to find skills, according to Qualys's Gibbard.

"Better integration of security data - even consolidating multiple point tools for single security suites - should help teams get more appropriate insight, and get it faster," he said.

"This consolidation and automation should help existing IT teams do more with their time, as it can be difficult to find the additional people to deal with potential threats as it stands."

What's next?

Looking forward to 2108, Gibbard sees an increased emphasis on the use of analytics to counter threats earlier and neutralise them before damage can be done. There will also be a focus on tackling the emerging menace of fileless malware, he believes. This is an area of increasing concern according to the Review. But rather than deploying new skills and solutions, most companies need to make sure they are getting the basics right.

"There are new threats like fileless malware that companies are worried about. There is also more interest in spotting successful attacks early. Detection can prevent these attacks from causing as much damage. However, many companies are still not getting the basics right.

"Managing vulnerabilities promptly across all your IT - whether these assets are in the cloud or are traditional assets like laptops and PCs - can reduce the potential risk dramatically. This means getting your process around patching right, testing updates faster, and managing potential risk more efficiently."

Powles said that managing data needs to be made easier, so they that they don't put this off as a job in the "too hard" bucket. Instead, "getting better data protection and management in place should be as simple as flicking a switch".

In addition, Gibbard also foresees an increased focus on cloud and container security from a developer and deployment point of view.

"These platforms are becoming more popular for deploying applications, but they need a different approach to security compared to traditional applications and assets, he said.

"I think we'll see more companies start to look at how they can build security into their application development processes as standard."

Integrating security into DevOps - so-called DevSecOps - and increasing process visibility was high on Gerchow's must-do list

Security can no longer live in a silo - the same data must be used by Dev, Ops and security, but through a different lens or use case," he explained.

"Cloud access security brokers are cool, we use them for data loss prevention, but it is only part of the picture as they don't really give me IaaS logs from CSP Services like [AWS] Cloud Trail, Guard Duty, VPC Flow logs, etcetera."

Above all there needs to be a focus on authentication and encryption, he said.

"We use SSO [single sign-on] and MFA [multifactor authentication] across the board, as access is the biggest risk to the crown jewels and can help compensate for bad password hygiene," he said.

"Above all, encrypt absolutely everything."