As eventful as 2020 has been, cybersecurity has managed to stay in the headlines. In October alone, the US government’s Cybersecurity and Infrastructure Security Agency issued the equivalent of one alert per day for industries and businesses, and the head of the Securities and Exchange Commission warned corporations needed to boost vigilance against a possible wave of attacks.
The good news is that many businesses are paying attention. Cybersecurity awareness has grown by leaps and bounds, with one recent survey finding almost 80% of businesses rank cybersecurity among their top five concerns, up from just over 60% in 2017.
At the same time, confidence among businesses that they can deal with cybersecurity in practice is declining. It’s easy to understand why; new trends and technologies equal a steady stream of new threats, forcing enterprises to constantly adjust their capabilities to keep up.
Confidence in cyber resilience measures slipped from 2017 to 2019
Know your weak spots
Step one is recognizing how the nature of threats has shifted, and facing up to the new security realities being created by the proliferation of connectivity, data and cloud-based computing models.
The mass migration from in-house servers to cloud-based architecture comes with some inherent security advantages. Given it’s foundational to their business model, major cloud service providers invest in and prioritize security in a way few enterprises can match, so any cloud-hosted systems have a strong base level of defense.
“There’s definitely a plus in going to the cloud in that you do benefit from the nearly always superior capabilities of major cloud providers to protect their hardware and networks,” says Robin Doherty, Lead Security Architect, ThoughtWorks.
The problem is, some enterprises assume entrusting their assets to a cloud provider means security is effectively covered. A recent study of firms in four major Asia Pacific markets found over half believed all security infrastructure requirements are handled by their cloud service provider, and just 40% understood security was a shared responsibility. This is despite the fact that, as Doherty points out, most cloud providers are explicit about where their duties end - and “give their customers a lot of scope” to introduce vulnerabilities.
Common Misconception of Responsibility
Greater adoption of the Internet of Things (IoT) has enabled companies to automate many critical functions, including in some cases security itself. But as more connected devices are deployed at critical points in the production process, or come into closer contact with employees and customers, the enterprise’s attack surface expands.
“I’ve even heard about devices like thermometers being hacked,” says Muralinath. “That alone can be enough to bring someone inside a network where they can access other devices and data. The fact that we’re so connected is something that’s also increased the threat landscape.”
Particularly when it’s part of the systems that govern critical assets like health facilities or infrastructure, IoT security “becomes critical, because the impact is direct and it’s physical,” says Tripathy.
Unfortunately, “a lot of IoT products have poor security,” Doherty says, shipping with problematic default configurations or passwords that may never be optimized or updated.
This is particularly worrying when more people are working remotely and as the lines between personal and work devices have blurred. A new study by the US National Cyber Security Alliance, for example, showed about a third of connected device users don’t always bother to change default passwords and that half regularly access unsecured WiFi networks.
Respondents that change connected device password settings from the default manufacturer settings
That argues for enterprises to work toward creating a ‘zero-trust’ architecture, meaning “you don’t trust devices just because they’re on your network, and you don’t trust everything that a system does just because you created that system,” Doherty explains.
“Siloed, compliance-led security with lots of focus on hardware and firewalls - security in the corner, you could call it - is almost a bit of theatre or a fig leaf to show people that something is being done,” agrees Gumbley. “It leaves enterprises vulnerable to getting washed away by all the risk out there.”
The more future-proof approach is to position security as a collective effort, in which every function, having something to lose, also has a role and a say. “Security has to be based on different perspectives,” Gumbley explains. “The technologists might not understand the particular value of a certain set of data, but another team will because they live and breathe it. Legal, HR or other parts of the business often have a better idea of what’s at stake and what can actually go wrong than someone who knows how to configure a firewall.”
“Enterprises can foster a more collaborative security culture by deploying members of the security team to act as internal consultants,” Doherty says. Having security work within project teams embeds defense mechanisms throughout the development process and avoids the “security sandwich,” where checks are applied only at the beginning and end of a project with potentially painful results.
“Adding a security person into a cross-functional team means you’re doing a better job of reducing risk as you go,” he explains. “You don’t end up in a situation where the project or requirements change over time, and when the security team comes back towards the end, they identify a bunch of problems. And then you have to have a horrible conversation about whether you need to postpone going live.”
Making security more democratic may involve delicate organizational changes that reshape the balance of control and accountability, Muralinath says. That argues for the process to be accompanied by senior management support and a certain amount of outreach to all levels of the enterprise.
“People closer to the ground, like product owners, may not understand the responsibility for security is now in their hands as well,” says Muralinath. “There are many times that they might keep putting things off, saying ‘let’s just build a feature first, let’s get this out the door and we’ll worry about security later.’ There’s a lot of education that needs to happen at that middle level of management.”
“It’s important to educate and create a good amount of awareness around security techniques,” Tripathy agrees. “Telling employees exactly what is critical for the organization, what the business assets are, what data can and can’t be disclosed publicly. When the new normal is virtual and social, we need to develop critical thinking in employees in general - not only when they’re coding, but when they’re engaged in day to day activities.”
Confronting the talent deficit
A major advantage of building security capabilities collectively is that it can help the enterprise cope with the real, and pressing, shortage of cybersecurity talent.
According to global IT governance association ISACA over 60% of organizations believe their cybersecurity teams are understaffed, and 66% find it difficult to retain cybersecurity staff, mainly because they are regularly recruited away.
State of Cybersecurity 2020
Similarly, if security teams are incentivized only to reduce risks, they’ll often be left at odds with the rest of the organization, especially delivery teams, who are usually motivated to get things released as quickly as soon as possible.
The answer, according to Gumbley, goes back to making risk something everyone is measured against. “Established best practice around risk management is the solution to the problem,” he says. “That could be a risk register - a prioritized set of risks that you’re aligned around as a business. The important thing is that a set of risks is owned by the business, not by the security team.”
Muralinath meanwhile believes more metrics should be constructed around where and when vulnerabilities are detected. “How late did you find the defect - during early development, or production? Your pipeline should be set up such that your build doesn’t proceed to a certain environment if certain kinds of tests fail,” she says. “What you’re really measuring is the effectiveness of those programs, as well as the knowledge and awareness of your teams.”
“If your customer information has been affected, it’s best to just come out in the open and disclose that,” agrees Muralinath. “It’s important that you understand the depth (of the breach) enough to be able to disclose it accurately, and give concrete steps on what’s next. You need to present solutions along with information on the problem, so you’re not just making customers aware, but building trust at the same time.”
Once the dust has settled, a post-mortem can turn an incident into an opportunity to learn, but shouldn’t descend into a blame game. As Tripathy points out, most incidents “are not just because of one layer being breached; it’s generally a misconfiguration of multiple layers.” That makes it difficult to point the finger at a single person or point of failure.
“You’ve got to do some kind of retrospective, even for near misses,” agrees Gumbley. “But at the end of the day, assigning blame is not going to help you prevent the next incident. Breaches are so complex that there’s always multiple causes, and with many systems now a multi-vendor patchwork of different organizations and labor frameworks, it can be a real minefield.”
The lean security cycle
While risks continue to rise, experts also see plenty of room for hope about the future of enterprise security, as more organizations experiment with proactive, even inventive, steps.
“I definitely see people investing more in security, and if nothing else, top management is really concerned, which means if you’re consulting on security, they’ll listen,” says Muralinath.
Tripathy points to ‘bug bounty’ programs, in which companies reward third parties for discovering issues or vulnerabilities, as a promising example of how security practices are starting to push the envelope.
“Organizations are beginning to understand that they may not have the resources to perceive all the attacks that are introduced or problems latent in their applications,” she says. “There are a lot of assumptions in your thinking when you’re an insider, so external views can show you something very different. It definitely needs to be done carefully, but it’s a very smart way of looking at security, and makes me optimistic about what’s to come.”
Trends like these underline the theory that when it comes to shoring up defenses against emerging threats, enterprises may benefit most from efforts to broaden perspectives.
“Controls are all well and good, but there are still a lot of people who don’t think about security in their decision-making processes,” Doherty explains. “It’s important to build the ability to assess risk generally, not just security risk. It’s a difficult thing because the scope of what you need to worry about as a human or a technologist has grown; there are more and more things that each of us needs to internalize and take a little bit of responsibility for. But the power of that understanding can’t be overstated.”