Are you ready for the year ahead in security?
Neil Campbell, Director of Global Security Solutions at Telstra, shares his insights into the next year in security.
It’s been a big year for security, with outbreaks like the WannaCry ransomware, NotPetya malware as well as the Equifax hack dominating headlines around the world and causing a stir in boardrooms.
While awareness of the importance of security among decision makers has never been higher, the Telstra Security Report 2018 found that businesses are still having difficulty addressing today’s security challenges and effectively preparing for the future.
We sat down with Neil Campbell, Telstra’s Director of Global Security Solutions, to discuss the state of security in 2018, the Telstra Security Report’s key findings, and what Australian businesses can expect in the year ahead.
Prompted by what can only be described as a turbulent year in security, this year’s Security Report was Telstra’s most comprehensive, surveying more than 1,250 security professionals in 13 countries. What were its key findings?
Neil Campbell: The most interesting finding in our security report this year was that 60 per cent of respondents had suffered a business-interrupting security incident in the last 12 months, and that's quite significant because when you think about a business interruption, that means lost wages, lost productivity and lost opportunity.
Not many businesses can sustain an interruption for multiple days without a huge impact on their viability.
“We found that 60 per cent of respondents experienced a business interruption in the last 12 months. That means lost wages, lost productivity and lost opportunity”
Additionally, 77 per cent respondents suspected that they'd had an incident in the last 12 months but couldn't prove it. This speaks to the difficulty Australian businesses are experiencing rapidly identifying threats, and then being able to resolve incidents in a timely manner.
We expect these two core challenges to continue through the coming year, as attacks increase in sophistication.
What are the major attack types targeting Australian businesses, and how can they keep their data secure?
Neil Campbell: In 2017, Business Email Compromise (BEC) and other phishing attacks, together with ransomware, were the most common threats to Australian businesses.
We’re also seeing more and more it's also about the loss of the data that the businesses hold. Not just data about the business, so things like intellectual property, but in particular data about their customers, which is now under greater scrutiny through new legislation such as the EU’s GDPR and Australia’s Notifiable Data Breaches scheme.
The first, crucial step to protecting this data is simply understanding where it is.
As businesses move more of their data into the cloud, they can't think in terms of the old castle paradigm anymore: "If it's on the inside of my network it's safe, if it's on the outside it's not safe".
Now that their data and their customers' data are stored in multiple places both on premises and off premises, they have to adapt their thinking about data security, they have to adapt the controls that they use, and they have to get a lot better at having those security controls follow the data to wherever it's needed.
It can be very difficult for a company to work out where its critical information is that it needs to protect, and therefore difficult to allocate the resources to do so and I see this being an ongoing challenge.
In a world of increasingly sophisticated attacks targeting non-technical staff, how can businesses best promote organisational security awareness?
Neil Campbell: Cybersecurity is an ever-evolving field. New attacks are created, new defences must be created to counter them. One trend that remains consistent is the exploitation of people. When we think about the two major findings from the Telstra Security Report, they were the rise of business email compromise, and the rise of ransomware.
Both of those attacks rely on tricking people into clicking on links. We'll see that grow over the following years, because as technology gets better and better, criminals will rely more and more on individuals and their security awareness as a form of attack.
One thing you can do in your organisation to help with this, is make sure that you have a strong security education programme that addresses both physical and cybersecurity, and also run cybersecurity drills, and run tests. Don't single out individuals but look for major change in security culture over time.
How will new legislation, such as the GDPR and NDB, change the way businesses think about security in the coming year?
Neil Campbell: The Notifiable Data Breaches amendment to the Privacy Act requires that businesses report both to the affected customers and to the Privacy Commissioner on any situation where they believe that person's information has been accessed unlawfully by a third party. The General Data Protection Regulation imposes even broader requirements.
That's significant because previously it was up to the organisation as to whether or not they communicated a data breach. Now it's law, and what that means is we'll see a marked increase in the media of announcements of hacking incidents, of access of personally identifiable information, which will bring with it a lot more consternation I think in the community. This means a lot more inspection, but most beneficially a lot more rigour in the way that organisations protect personally identifiable information.
In addition to the actual protection of data, this new legislation will require companies to spend more time dealing with compliance, whether it’s new policies and procedures or increasingly complex reporting requirements. Over the next year, businesses should try and find overlaps in reporting to make it more efficient.
Another key trend identified by in the security report is the ongoing convergence of cyber and electronic security. Why are these two fields converging and what are the benefits for businesses that embrace the converged approach?
Neil Campbell: Security convergence is an interesting topic. What we're talking about is bringing together the traditional physical security world: alarms, door access, CCTV, with the cybersecurity world, and those two disciplines grew up in very different ways over very different time frames. What we're seeing in the market is a trend toward bringing those two disciplines together so that you can get a much better visibility across your entire security estate.
There is a huge enthusiasm in Australia for security convergence. One reason is cost effectiveness, and the other reason is that one and one equals three in this case, bringing together what were disparate disciplines, means that you get a total view of security which creates a much greater level of visibility for the organisation.
So, for instance if somebody attempts to log on to an account in a building in Melbourne, we would be able to check and see if that person had entered that building. It's that kind of use case that's driving convergence.
The emergence of IoT has been one of the key stories in security over the last few years. How can organisations adopting these devices ensure that they’re not a security liability?
Neil Campbell: One of the challenges with IoT devices is that the firmware they're shipped with is often the firmware they have for life. So whatever vulnerabilities are present, and whatever vulnerabilities are subsequently discovered, they are vulnerable too for the life of the device. Now in the world of cybersecurity we're used to dealing with that, and we patch regularly.
In the world of IoT, we're not so sophisticated yet, but we’ll get there.