Security: Core To Survival
Monday 30th July, 2018
You can choose to have a secure service on the internet, or to have no business at all. Security is top priority: it’s right up there with a great idea and market leading product. If you get security wrong, your case for your idea and product are moot.
This hasn’t always been the case. Getting security wrong at best leaves you vulnerable and at worst could put your organisation’s future at risk. Let’s put it into context.
There are houses on islands on the west coast of Scotland, such as the Hebridean Isle of Muck, that don’t have locks on their doors. These islands are isolated and by the nature of existing in remote areas, have a great deal of trust with their community. In this context, there is an open trust relationship with the environment in which it exists and an assumption that there are no thieves or burglars (bad actors).
This was akin the internet circa 1990 when less than 0.05% of the population had some form of access, this was constrained by bandwidth and prohibitive costs. As the population of internet users has grown, the number, bandwidth and connectivity have gone up, and it is now more akin to a metropolis, where all doors have locks and there is a greater level of anonymity. This allows bad actors to move with impunity - and their ways and means to target organisations has grown too.
Security Is Core To An Organisation's Ability To Survive
With GDPR the legislation is catching up and making it clear that security is core to an organisation’s ability to survive. Get this wrong and the penalties are so severe as to put organisations of all sizes in jeopardy, and all too often the basics are missing. Weak password, no encryption, poor management of private keys, no antivirus protections and lax media policies. The list goes on however there are areas that can be focused on to limit exposure.
This may be obvious, however the easiest way often isn’t through a back door or through brute force hacking but through social engineering combined with ‘spear phishing’. A large bank was attacked though infected USB drives being left on the ground outside their offices, in the hope that curiosity would lead to people looking at the contents of the drives. Research by Google found that up to 45% of USB drives would be picked up and plugged into a computer within a week to look at their contents!
Are your people equipped to recognise the threat this poses or spot phishing indicators, false invoices or impersonated emails from directors? Directors’ names are easy to find from Companies House (in the UK) and companies often want to make press releases about new deals. With these 2 pieces of information a ‘bad actor’ could push for an invoice to be paid. Google and Facebook were caught out in 2017, so look at your processes to check you’ve minimised your exposure.
This frequently comes up: “We can’t be secure and agile…”. Working in agile ways requires working towards a minimum viable product, and security should be at the core of any MVP. Approaches that can support this include considering how you encrypt data from the start, are security keys effectively managed and does the platform you develop on ‘bake security in’ from the very beginning. Products that have already been released should look to make use of pen testing and ‘white hats’ to assure their product security and develop countermeasures for any issues highlighted.
A potential benefit of the GDPR legislation is shared responsibility for infrastructure, forcing cloud providers to ensure that what they provide protects themselves and protects their customers. Likewise, those that have their own infrastructure can look at the approach taken by cloud providers to protect their own infrastructure as a starting point.
Patch And Security Policies
These may be the most obvious place to look, however many organisations miss out where they have currency challenges or where they use 3rd party libraries as a part of their custom solutions. Both challenges can generate the same security issues with widely different approaches to the solutions. Currency, by its very nature, can require sums to be invested to catch up and meet current standard. Where infrastructure or applications are out of support, serious security challenges could be hiding in plain sight and may not generate enough CPU load or network traffic to easily spot. The increasing reliance on open source libraries is double edged – available functionality increased, thus when used in product solutions need to be maintained
Security is no longer a side issue for technology and it shouldn’t be for the Boards of companies. You wouldn’t leave your door open and build a house in a city with no locks. Your organisation isn’t a cottage on the Isle of Muck, so let’s not pretend you can manage with the same level of security!
I recommend looking at previous blogs on the topics of “Time to shine a light on IT Costs” by Michael Ward and “Agile: Not Falling Over Enough” by Matt Roach for more Coeus Insights in parallel to this.
Blog post by Alisdair Menzies