Incident response plan is vital to deal with increased level of connectivity
The rise of the Internet of Things requires a new mindset, a new way of looking at things, about how we consume technology, says Simon Mullis, global technical lead, strategic alliances at FireEye. “The challenge now is security as a whole and how we manage it, how we measure it and how we keep up with the pace of change,” he says.
“There is a massive change to the way people communicate, which has happened very rapidly, and risk managers need to change the way they think to address this.”
People are no longer as active when it comes to using technology – picking up a phone, turning on a PC. They are becoming inactive service users, instead, unaware of how devices are constantly communicating with each other. This has a massive impact on risk.
“There is also a blurring of roles between customer and vendor,” says Mullis. “For example, you might have a medical device that feeds data to the user to help them manage their health, to the manufacturer to help it improve its product, and perhaps to an insurer. Data is moving in every direction.”
The long-held assumption that the answer to security risk is to build higher walls just does not work any more. “There is a growing awareness that a breach is now inevitable,” says Mullis. “At some point disclosure will occur and, most likely, not on your terms. Risk managers need to understand this. Companies can block as much as possible, but the attackers want to breach the wall and, as they grow in sophistication, it is looking more likely that they will succeed.”
Firms need to develop a combination of threat intelligence and expertise about how this risk applies to them and use the information to make it more agile, resilient and able to react faster. Doing this requires risk managers to think about the way staff on the network behave. “The target has moved from the data in the data centre to the person who accesses it,” says Mullis. “We are moving away from protecting computers and databases and towards looking after the data itself – and responsibility for data is not just the responsibility of the IT guys.
“Authentication, authorisation and access control become more important, rather than the devices themselves,” he adds.
These kind of lessons apply particularly to the management of the Industrial Control Systems (ICS) which major manufacturers rely on day in, day out to manage everything from factory processes to power generation.
While these were not necessarily connected in the past, they certainly are now and yet there remains a stubborn, dangerous misconception at board level that there is an air gap [security measure that isolates companies from external and insecure networks] between these systems. “However these are not often used in business,” says Dan Scali, manager, security consulting services at Mandiant, a FireEye company. “There is always some connectivity to other technology on the campus and often back to the corporate network itself.
“This is not necessarily a bad thing, but it needs to be designed appropriately to address the risk and monitored so that if there is some kind of intrusion into the network, it can be dealt with.”
All trade journal report that the level of connectivity is only going to increase. “Wearable technology, Big Data, all these trends are becoming increasingly present in ICS,” says Scali. “If an air gap does exist it is rapidly eroding under the pressure of new technologies.”
The risk of a cyber attack occurring is further modified by the fact that new technology is often fitted to existing systems so, rather than designing in security from the off, it needs to be retrofitted. “Industry doesn’t have the appetite to rip out old systems for the sake of security, because security doesn’t drive the business,” says Scali.
In this environment risk managers need to be proactive. “You need to have an approach that addresses the risk practically as it really exists and this means time needs to be spent adapting cyber security so it can be applied to address risk in the real world.”
For example, risk asssessors should ensure they have appropriate network segregation and traffic surveillance. “Businesses can’t always keep attackers out but they can act fast to make sure any intrusion doesn’t cause a catastrophe,” says Scali. “Have an incident response plan. If nothing else know what to do when something goes wrong. Avoiding investment in this area is not smart, even in the presence of other options like insurance. If a company’s strategy is ‘hope’, then that’s not enough.”
To address cyber risk, risk managers will have to roll their sleeves up and get more involved with operational teams so they can be the voice of these people at a strategic level – and by doing so help their organisation face up to the reality in a connected world.
Xavier Verhaeghe technology solutions vice-president EMEA at Oracle adds: “Growing in importance, visibility and business impact, risk managers need to balance the ease of use with total protection.”