I love security and I love hacking. In 1977, my school had a mainframe computer, one of the first mainframes anywhere Australia, and I hacked into it. I got into such trouble, but I found hacking interesting and exciting… even though I was banned from the mainframe for the rest of my school days!
In 2018 customer experience is still top of mind but security is now intrinsic to that experience. It’s not a case of either/or.
Today, technology is advancing quickly and there are much better hackers than me, but I still know what it takes to keep an organisation secure.
The first line of defence is actually social, not technical. Social engineering means making sure that staff do not fall for things like phishing scams. They need to be made aware of people trying to imitate other people and trained to not give out their passwords, or allow someone to follow them into a building. Even today, these things are still the foundation of security. I love the social engineering component that helps ensure that from a security perspective, when an organisation is being attacked that all of its employees, staff and systems are kept safe. There are ever increasing amounts of technology available, with incredible firewalls, artificial intelligence responses and antivirus software. There are many different solutions to protect a network but the challenge remains human. Individuals either mis-configure systems, or they simply do something that they shouldn’t do, like having ‘password’ as their password.
At Security in Depth we have a network of 9,000 individuals globally that we communicate with about what they’re experiencing and where they see emerging cybersecurity challenges.
The third area is governance. Organisations must implement risk management governance processes to manage their security frameworks, instill best practice amongst employees and conduct audits regularly. In a connected world, of particular importance is how an organisation integrates their systems and processes with other companies. One of the challenges today is that while an organisation might be secure internally, a company that they exchange data with might not be secure and that exposes a risk. A talented hacker can enter one company via another company’s systems in order to steal data or introduce a virus. Risk management processes, and particularly the protocols for integrating with a third party, are vital. These processes might include things like penetration testing, security testing, security audits and code reviews of the third party’s platforms.
Finally, there’s incident response to limit the impact when there is a security incident and preemptive simulated attacks, known as red-teaming, so organisations can see how they would respond to a real attack. Red-teaming can be a fun but alarming exercise. Through a planned activity, organisations get to see what damage could be done. It goes beyond penetration testing to see if physical networks can be hacked. It might be through wifi, an office walk-in, finding open internet cables, doing USB drops, phishing or other things, just to see how deeply the network can be penetrated and most importantly how it responds and what changes need to be made.
The challenge will remain human, as you can have the greatest piece of technology, but if a laptop is left open and somebody can easily access it, they potentially have the keys to the kingdom.
At Security in Depth we have the motto ‘trust but validate’. If an individual is utilising an unknown source, an unknown IP address, an unknown computer, we recommend two factor authentication – something you have and something you know; a password is still required, but it needs to be validated by an RSA code for example. That’s a good starting point and having systems that are able to recognise where traffic is coming from and being able to determine whether or not this is normal or abnormal traffic is a great help. Every organisation is vulnerable at some point but our mission is to provide solutions and products that enable organisations, everywhere around the world, to be more secure and to reduce their risk.