Digital technology has infiltrated just about every aspect of Australian business. An unfortunate consequence of this hunger for technology is the increasing incidence of complex, global cyber attacks that are creating havoc across corporate and government networks. It’s a lucrative business and it’s only going to get worse.
This is forcing IT leaders across every industry to reassess the potential dangers and make ‘cyber resilience’ a core part of their enterprise-wide risk management programs.
Three IT security experts – Luke Thomas, ICT operations manager at Keystart Home Loans; Gavin Coulthard, manager, engineering at Palo Alto Networks; and Charles Anderson, an associate VP at IDC – discussed how to protect against cyber attacks. They were part of a panel at the recent CIO Summit in Perth.
According to Key Start Home Loans’ Thomas, many businesses aren’t focused on the threat of internal breaches.
“They protect their perimeter but they are not looking at the core,” he says. “We’ve invested a lot of time firewalling our core network … and seeing within an application what someone is trying to do.”
Keystart Home Loans has also created an instant response plan, which is put into action immediately if there is a data breach.
“This [plan] involves the chief risk officer and depending on where the breach is located, it will involve executives from other areas as well. Essentially, it’s around evaluation what has happened and isolating the risk,” says Thomas.
Thomas says that notifying customers and suppliers is very important, particularly given the new Australian Privacy Principles, which came into effect in March this year.
“They actually class notifying [people] in the event of a data breach as a fundamental part of your response. You’ve got to be open with your customers and other vendors if there has been a breach in your network,” he says.
When classifying the level of protection required for its data, Keystart Home Loans asks four questions, says Thomas.
- What would we do if data was destroyed completely with no backups?
- What would we do if that data was unavailable for a period of 24 hours or more?
- What would we do if that data was compromised in some way?
- What would we do if the data was unavailable for a short period of time (less than 24 hours)?
Thomas says asking these questions gives the organisation a good understanding of how important certain data is to the business, and classify this information.
Keystart Home Loans’ core mortgage application that holds its client’s information, as well as data, which resides in business systems such as email, needs the highest level of protection.
“Where there is data that needs to be protected, we’ll use encryption around that to protect it,” says Thomas. “Not just encryption when it’s not in motion but it’s crucial that you look at encryption in motion as well.
Briefing workers regularly
The panellists agreed that briefing staff regularly about cyber security risks, and the potential consequences when information is leaked, is very important.
Palo Alto’s Coulthard says his organisation approaches data security using three pillars: people, process, and technology.
“Buying all the fancy cool new stuff is great but unless you have the culture of the business, the culture of the people within the organisation, it’s going to be a weak point.
“We’ve seen within some of the more public breaches, particularly Target [in the United States], they had the process and technology in place but it was the people perhaps who let them down.
“They [Target’s operations team] saw the alerts, saw that they were being compromised but … they didn’t believe that that compromise was critical, and we know what the outcome was,” he says.
Credit and debit card data was stolen from Target, as well as customer names, mailing and email addresses and phone number. The breach affected up to 70 million people.
“When you look at malware and look at these threats that are coming into an organisation – it’s clicking on a link, clicking on target emails. It’s picking up a USB key that has been dropped in the car park and plugging it into your laptop inside the network just to see what’s on it … so providing that education mechanism is key,” Coulthard says.
IDC’s Anderson adds that educating users is more important than ever.
“There are stories of people leaving USBs outside of companies because they know eventually someone is going to pick one up, and put it [a USB] in their computer,” he says. “People think they’ve had a lucky day because they found one sitting on the ground.”
More education is required particularly with the increasing use of personally-owned devices – such as smartphones, tablets or laptops – inside the enterprise.
“People are bringing in all these new devices and we are not educating them on the security risks that will be created from these,” said Anderson.
“In all honesty, most companies have been a little bit lax in securing those devices, they end up going down the road of saying ‘fine, you can bring in these devices’, because they want to keep the users happy … but they don’t actually secure the devices,” he says.
“It’s not just about the device, it’s the data in transit, the authentication and the applications and data that reside on the device as well."
Keystart Home Loans’ Luke says that the organisation’s IT group simply would not have time to send out notifications about every security vulnerability.
For example, the recent Heartbleed security vulnerability typically wouldn’t have been mentioned to staff if it wasn’t for the media attention it received, Thomas says.
“I think the really important thing people overlook with educating staff on IT security issues is that it really shows the value of IT,” he says.
“Quite often, certainly in the operations area, we’re keeping systems running and highly available. That’s not so visible but when you’re notifying people of a security threat, [telling them] ‘we’re doing X, Y and Z to protect you’ that’s very visible, they take that on board.”
Follow Byron Connolly on Twitter:@ByronConnolly