Digital technology has fundamentally changed business practice over the past decade. Cloud based applications dominate, workers routinely access corporate information remotely via smart phones and access to the corporate network increasingly includes supply chain members, contractors and part time workers. Yet cyber security has failed to keep up, and – as the ramifications of the Equifax breach revealed – some of the responsibility has to lie with the C-suite.
However, to what extent should the buck stop with the CIO alone when a breach occurs? Surely it is time that entire boards take a holistic view of their risk profile, and empower dedicated security teams to have full control over policy and implementation?
Current solutions are flawed and follow an outdated approach to security. Companies - with every single member of the C-suite leading by example - must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology.
Exploding Attack Surface
While it is hard to imagine a new business initiative or strategic development that is not IT driven, only 45% of boards participate in overall security strategy. Yet not only is technology underpinning every aspect of business, the increasingly fluid and agile way in which businesses now operate has fundamentally changed the threat landscape, most notably by massively expanding the attack surface. The number of applications now being used by a huge and diverse user base, both within and outside the organisation, across personal smartphones, in the cloud and, of course, IoT devices, has created a level of risk never before encountered. Each one of those users or end-points becomes a target, a point of potential vulnerability. Just consider the recent Australian government breach, where a subcontractor vulnerability compromised security throughout the entire network. Or the multiple breaches on the Equifax network that were exposed.
The simple fact is this: users are a security weak link. Unintentionally or maliciously, it is the rise in compromised users – from sophisticated phishing attacks to unauthorised sharing - that is contributing to the global escalation in security breaches.
Moreover, current security strategies mean that security is not centralised but fragmented across multiple silos – from application developers to network teams and those responsible for remote access or end-point protection. The result is a lack of consistency that creates gaping holes in the security infrastructure; holes that are being routinely breached by ever more sophisticated and motivated hackers.
Even worse for the CISO is that these breaches are tough to detect – with the average breach not being detected for between 120 – 150 days. Clearly, simply adding layers of security tools to the current, ‘protect, detect, react’ model is failing to protect either organisation or individual.
While security remains a secondary business consideration and security teams lack central control, the corporate risks will continue to rise.
Best Practice in Cyber Security
The difference between those organisations that have a top-level commitment to security and the rest is stark. The best practice approach ensures security is considered, evaluated and incorporated into the planning stages of every corporate strategy – not addressed after the fact. Furthermore, the best cyber security models are based on the acceptance that breaches are now inevitable. Technology is too complex; security models too full of gaps and hackers too sophisticated. Breaches, therefore, need to be contained – and the best way to do that is to adopt a Zero Trust model and accept that access once within any part of the extended enterprise must be strictly limited.
For example, replacing a traditional – and vulnerable – rigid firewall with a software-defined perimeter that is far more fluid enables a business to remain secure despite constant operational change. A software-defined perimeter that is disconnected from the infrastructure can drastically simplify the complexities of adding or removing cloud applications, or granting mobile access for a specific set of workers. Similarly, the adoption of software-defined Wide Area Networks (SD-WAN) enables organisations to securely embrace the lower cost cloud computing model while maintaining every aspect of the security posture – from policies to encryption.
Essentially, with a centralised approach and a security strategy aligned with business direction, organisations can move away from outdated thinking about securing the perimeter. Simply put, security can no longer be about managing devices and networks. It must instead be focused on managing users and applications, and tightly aligned with the business objectives associated with both. For example, role-based access control can enable an enterprise to consistently enforce policies across the range of users and applications, directly aligning that critical security function of remote access with the overarching business objectives.
The most effective approach enforces these policies in the actual access control process itself, building on existing policies for user access and identity management. Then, when access is to be granted, the application traffic is protected by cryptographic segmentation that prevents it from being accessed by the non-permitted users.
This approach has the added benefit of blocking unauthorised lateral movement, which is the hallmark of modern data breach vectors. If all applications are protected by real-time role-based access control, and if all user access is limited to only what a user needs to do their jobs, then the compromise of one user does not grant access to everything. Lateral movement is constrained and the breach is contained.
The CISO today is facing an unwinnable battle. Expected to protect the network from cyber-attack, when that perimeter is becoming greater and more fluid by the minute, without full control over policy and implementation. Is it any wonder that the number of breaches continues to escalate?
When every business decision has a technology implication, cyber security clearly needs board-level engagement; it must be organisation-wide rather than silo-focused; centralised and consistent. And it must be based on a Zero-Trust ethos to segment users and applications rather than infrastructure. Done well, security is not simply a defensive strategy, but an enabler of better enterprise performance – and those organisations with a C-suite that prioritises cyber security are not only in a far better position to minimise risk but also well placed to drive tangible business value.
Dan Panesar, is VP EMEA, Certes Networks
Image Credit: Uber Images / Shutterstock