The weakest link

You may never find yourself exchanging phone numbers with a Saudi prince, but CEOs and business leaders swap contact details all the time. For Jeff Bezos at Amazon, this was just another routine step along the path that led to a massive breach of his security.  After a personal connection, what is more natural than accepting social media contacts?

Today, companies are under ever increasing pressure to ensure their business processes are robust enough to withstand a cyberattack. Firewalls and anti-virus software are installed, patches applied and staff required to change their passwords on a regular basis. Access to files is restricted to those who need them for particular aspects of their work, processes are put in place for staff who leave and user access to the computers they use is restricted to ensure they don’t do something stupid.

Yet at the same time, we see a rise in the number of possible attack vectors open to the criminals. Social media channels offer new ways to get past the watchdogs and security measures in place. Staff are making great use of cloud-based storage to share documents and larger files. Everyone in your business has a smartphone that’s capable of wreaking havoc yet we regularly let staff ‘bring their own device’ and companies like it because there’s more appeal for staff to work late or on weekends if they do so remotely.

All of this creates more opportunity for the bad guys and more risk for organisations, and especially for business leaders. Because while security restrictions are usually put in place vigorously across the company, the one person who should have extra layers of protection tends to demand fewer.

The boss tends to get the special treatment which allows him or her to have greater access to files and services. They may receive more leniency around passwords and security protocols, and have a hands-on role with their marketing team when it comes to a presence on social media including Twitter, Snapchat and WhatsApp, even if company rules prohibit such activity for others.

Jeff Bezos’s (and other high-profile business and political leaders) Twitter use demonstrates CEOs and organisational leaders are willing to live by a different rule to the rest of the team, and that leaves the organisation open to some serious challenges.

How do you tell the boss that he or she shouldn’t have admin rights on their laptop? That they shouldn’t give out their contact details to everyone they meet, no matter how royal? What about insisting they don’t use their work phones for personal use, such as social media, even when they use social media to talk with customers and represent the company?

It’s a minefield for the security team because, of all the staff in the organisation, those at the top are more likely to be targeted by criminals trying to harvest information and access sensitive information. ‘Spear phishing’, where criminals attempt to pass off communications as being from the CEO or financial department, is a growing area of concern. Having senior leaders who are active on social media, and use it interchangeably with email and other more formal channels of communication, makes life doubly difficult for the security team.

So in light of Jeff Bezos’s breach, here are five tips about cybersecurity for CEOs:

  1. Private vs company

If you do want to share your contact details, use a cut-out service. A phone number that you only use for those instances or an email address that your executive assistant (EA) manages. Keep some distance, and keep it ring-fenced so if there is a problem, it’s limited.

  1. Security isn’t optional

Boring but true. Talk to your cybersecurity leads about how best to handle your specific needs. Routine sweeps of your accounts and devices might be required – especially if you travel overseas a lot – so be prepared for some hassle and annoyance. It’s not their fault – it’s good that they nag.

  1. Set the boundaries for staff

Make it clear how you’ll communicate with the rest of the company. You might use a social media account to talk about the company publicly but you won’t use it to message the CFO at midnight to make an urgent transfer of money, for instance. That way if you are hacked it shouldn’t lead to the company running into financial strife.

  1. If in doubt, there is no doubt

Be suspicious of every communication you receive. If a competitor suddenly wants to share files with you, if a new supplier sends you something directly via an unusual channel, if someone offers to invest large amounts of money out of the blue, be suspicious and if in doubt, check in with your cybersecurity team.

  1. Less is more when travelling

Sure, you might need a laptop and a phone when you’re travelling but you’re also more vulnerable to an attack. Talk to your cybersecurity teams about risk mitigation when on the road and how best to handle that. You should back everything up before you go. You may also be advised to take a ‘travel-only’ laptop (and, depending on the country you are travelling to, perhaps a tablet only) and a phone that can be wiped when you return.

The best defence against cyberattacks is both preparation and planning. Consider the risks, and plan and anticipate the consequences of a breach in terms of your company, your business and you personally.  Doing these things means you’re in a better place to manage any potential attack. And remember that we all suffer from ‘optimism bias’ – “why would anyone target me?” Don’t rely on having never been attacked as proof that you won’t be. Just ask Jeff Bezos how that worked for him.

David Eaton is Associate Director of Cyber Security for Datacom.

Managed Services in 2014 – How is it Evolving?

Managed services as a topic in and of itself doesn’t always get the attention topics such as cloud and mobility do. That’s largely because managed services covers such a large umbrella of technology services that it can often be absent from conversations about specific solutions. It’s important to relate these single solutions back to managed services because it changes the way they are consumed, designed and supported. Take note of the following predicted managed services trends for 2014 and how you can use them to improve business.

Enterprise Content Management

More than 60 per cent of midsize businesses are using Microsoft SharePoint to organise and share information, according to Forrester. TechNavio anticipates the global enterprise content management (ECM) market to increase to $9.6 billion in 2014. ECM can help businesses improve records management, search and e-discovery and document capture. A managed services provider can help integrate organisations’ disparate data and management systems to improve content workflows and accessibility. And as Ovum expects mobility, social media and cloud computing to transform ECM in 2014, business can take advantage of a managed services provider to help incorporate these additional capabilities into a complete ECM solution that fully allows anytime, anywhere access to content of all types.

Managed security services

This year will be a particularly busy one for the managed security services — or MSS — market, according to Gartner. The research firm predicts the MSS market to grow from $12 billion in 2013 to more than $22.5 billion by 2017. Increasing security threats brought about by BYOD and mobile apps and advanced persistent threats (APTs) coupled with a lack of internal resources to manage all these threats is driving the MSS growth. Australia already suffers from a lack of skilled IT resources, and the IT security realm is no different — a major risk when threats are continuously becoming more numerous and complex. The result will be more organisations enlisting the help of a third-party security service or managed services provider that can address incident response and detect APTs. In some instances, these managed resources will work with in-house staff and, at the very least, will educate internal employees on how to best protect the business.

Cloud services managed for you

As we’ve written before, consuming cloud through a managed services provider can help organisations leverage best-practice, enterprise-level technology and delivery methods. Having your cloud services managed for you by expert IT providers lowers risk and frees up internal IT staff time — it also makes the integration more seamless. With the recent rise in organisations using a multi-cloud approach — where businesses consume at least two different types of cloud services —, businesses will increasingly need a provider to procure, design and manage these different cloud service providers and platforms. This includes overseeing all the SLAs, performance metrics and billing for you.

Cyber Security is Not Quite All Hype – Your Organisation Needs an Appropriate Security Posture to Protect Itself

By Richard Byfield

A Gartner VP recently suggested thatcurrent cyber security discussions on advanced threats are just hype to which most commercial enterprises should not pay attention. The argument likened cyber security technologies and practice to a “Ponzi scheme”, whereby the returns never match the investment and essentially entrap business into an ever increasing dependence on vendors and technologies.

This viewpoint is bound to draw attention from security vendors, practitioners and consumers. In part, it is most likely designed to create that very response and is a conversation that needs to be had. On the record, we have to agree with the sentiment. Advanced nation state threats are not targeting every commercial enterprise operating in Australia. So why should a business with a market cap of $4 million spend 25 per cent of that value trying to protect themselves from threats that are, in essence, of low to almost no threat?

Yes, there are legal and regulatory obligations for businesses to protect both personal and financial data. There are implications for businesses on the availability of information systems affecting revenue, continuity and a business’s ability to maintain commercial operations. Not to forget the impacts upon the reputation of those organisations whose security is known to have been compromised. Who would feel secure visiting a retail store after media reports suggested that the point of sale mechanism was stealing credit card details for “foreign” hackers?

Like any service designed to support commercial operations, cyber security has a known commercial value and impact. The difficult part is in assessing the “what” of value and business impact. Without this, it is almost impossible to measure the business effectiveness of cyber security.

The security posture should equate to business risk and impact value

At Datacom TSS, our focus is on helping our clients establish a security posture appropriate for business needs. We view a security posture as your organisation’s level of risk based upon commercial asset values (revenue, capital, IP, reputational, regulatory, legal), actual threat and recognised vulnerability. This is assessed against the maturity or effectiveness in ICT design, development, procurement, supply chain, policies, processes and service operations. We, therefore, begin by determining the impact of security specific to your business.

Based upon the assessment against your current security posture, a security strategy can be designed to mitigate or treat identified vulnerable areas in business operations. This strategy is always determined and traced against both business requirements and asset values. This ensures that security outcomes can be quantified against the value they protect versus the cost of implementation. Cost benefit analysis is essential in establishing commercial impact. Security must always be justified and quantified.

If the case for security cannot be justified, then the reasons for implementing security may not be well understood. If you cannot justify your expenditure against a business outcome, you most likely have paid for something you did not need.

The value of trust in your practitioner

It cannot be stated enough that many security outcomes do not involve the sale of a vendor product. As security practitioners, we must remain both solution- and vendor-agnostic in determining outcomes to security strategies. Without this approach, achieving a suitable security posture breaks down into an exercise of setting the strategy to meet product X. This, in turn, leads to businesses purchasing capability that had no impact against actual organisational security threats. The “What can we sell you today?” attitude will not extend effective security gains; adversaries are always adaptive and industry segment threats change constantly. Trust is the key. The truth that sometimes is counter to commercial interest is imperative in protecting assets. Without this, it is all hype.

The outcome

Cyber security is not simply a “product solves everything” industry. It is as much a service to ICT as ICT is a service to business. As such, each business should seek solutions that align with its threat profile and the value of its assets. Being cognisant of these facts will enable both enterprises and governments alike to deliver actual outcomes for cyber security. This will rationalise the current discussions surrounding advanced threats, including that of APT.

In creating an understanding of the position and posture of security, including the needs of business to achieve security, you will avoid the hype and deliver cost-effective capability outcomes.

Being Short-staffed is No Excuse for Mishandling IT Governance and Security

In the 2012 Governance of Enterprise IT (GEIT) Survey by the Information Systems Audit and Control Association (ISACA), organisations in the Asia-Pacific region reported a higher annual incidence of security breaches than the global average and a considerable shortage of IT staff.

The implication apparent to anyone who reads this information is that without enough IT support, organisations can’t get a grip on security. Adopting this mindset that security is only as good as the number of IT staff you have, however, is risky and may give a false sense of security to an organisation. Businesses do not need to pay more IT staff salaries to effectively enforce security across the workplace. Rather, they can approach increasing security awareness from two angles. First, they can develop meaningful business policies all employees are able to embrace and understand to further the cause of improved security. Second, organisations need to be able to leverage the right outside help to consult them on the best security approach to suit their specific business.

Setting effective policies

According to ISACA’s survey, most organisations expect the second most likely network security threat to occur in the next year to be caused by an employee mistake. Yet many of these organisations have no set security policies outlining what exactly employees should or shouldn’t do to avoid comprising security. Changing employees’ behaviour doesn’t begin with hiring more IT staff to enforce security — it begins with enforcing effective user policies across the business.

Organisations can define user policies based on organisation-wide, departmental or individual risk profile to determine who should have access to which data, networks and systems, and what types of web sites and applications can be used on different devices. If you allow BYOD, you should have a list of approved apps. If you use a cloud computing service, you should have a list of who can access it and who can’t. You should also consider providing lists of banned web sites and providing guidance on which corporate data can be accessed via VPN when employees or offsite.

Once you’ve established what employees should be able to do and have access to, you can then set the procedures for maintaining security and determining what happens in the event of compromised systems, devices or data. Consistent education for current and new employees will help your newly-defined security policies and procedures become engrained in the culture. Security awareness should be a part of every employee’s induction, where practical examples are used to demonstrate why policy, procedures and good security practices are necessary. Ensuring employees know who or where to access meaningful security advice and guidance is also useful. Security refresher workshops should be conducted annually for all employees and updated to reflect the changing threat landscape.

Enlisting the help of outside experts

It is unlikely you can invest enough money to completely secure yourself if you are connected to the Internet and external networks. So you need to understand how to make sure every dollar spent is spent wisely to get the best value from your security investment. Seek independent advice from a product-neutral expert — even better if it’s a consultant or company that has a background in high-level cyber security in areas such as government.

This advice will help you understand your security posture and keep up-to-date on its evolution completely irrespective of specific security products that might not fully protect your organisation. An independent security review can help organisations deep-dive into their security architecture to get an objective view of their needs and identify gaps. This type of customised, independent advice might also include certain tests, such as vulnerability or penetration testing, to ensure you really are protected from the latest cyber threats.

Remember that no one single person will be able to cover your organisation’s attack surface and the entire threat landscape. Rather than worry that you don’t have enough IT staff in place, draw upon your current department resources to help draft and enforce policy and educate employees. Remember, too, that drawing upon external advice can help your organisation get the overall security picture it needs to prevent future threats.

Datacom Delivers Secure App Container Approach to Protect Data for Government

Depending on an organisation’s data and app security needs, there are a few mobile application management approaches that let the IT department lock down corporate or government data. One option formore secure mobility that a government client of Datacom’s recently pursued to introduce BYOD into their department is the application container.

This software protects corporate or government data in an application container on a mobile device so it remains separate from the user’s personal data. Corporate or government data is segmented and only made available through authentication and enterprise-grade encryption. Users can’t move corporate or government data from the application container into the “personal” parts of their phones, and if IT wants to do a corporate or government data wipe, they can leave the user’s own data untouched.

Now, we’re not recommending having no security on the endpoint, especially if you are a government department. That’s the first line of defence if a device gets lost or stolen. By additionally securing the corporate or government data on the device, you can protect the information in the event an outside individual is able to crack into your employee’s phone.

Enabling secure mobility for government data at SEWPaC

The application container approach to protecting government data helped the Department of Sustainability, Environment, Water, Population and Communities (SEWPaC) meet the growing user demand for Apple IOS and Android devices whilst maintaining the level of security required by a government department.

Datacom ACT, which has had an ongoing IT services engagement with SEWPaC for several years, evaluated various technology solutions before selecting the Good for Enterprise software solution. Datacom integrated the container solution into the department’s ICT architecture, first conducting a pilot to ‘prove’ the capability followed by a rapid production rollout. This software allows departmental staff to securely send and receive email on both Android and Apple IOS based phones and tablets, as well as access and modify documents in a secure container.

Using NOC-based architecture to secure the government network, the container solution does not enable data sharing with any non-secure apps. It also offers IT staff the ability to maintain the same security policies regardless of the mobile platform that’s being used. IT staff use a web platform to manage BYOD deployments, including user policy, passwords and both corporate and third-party apps. The solution has helped take SEWPaC into the world of BYOD without having to worry about data loss at every turn.

“The secure separation between personal and organisational data is critical to allowing the department to access the benefits associated with BYOD without compromising our obligations to properly manage government information,” says Al Blake, Chief Information Officer for SEWPaC. “This aligns with our strategy of moving away from ‘hardware management’ to concentrating on what’s important — protecting information.”

Datacom is a sponsor of the inaugural Telework Week this week in Australia and New Zealand to highlight the increased productivity and cost savings that can be gained when employees work away from the office.

Security in the Cloud Part I: Creating a Business Process Policy

Even though private Infrastructure-as-a-Service (IaaS) cloud takes hardware management off an organisation’s plate, it doesn’t shirk their responsibility for security. In fact, the IaaS model tends to bring more security responsibilities to the organisation than other cloud models because the provider is only responsible for the infrastructure, according to the Cloud Security Alliance.

The good news is organisations can do their part to ensure the cloud remains secure by using a business process approach. By looking at what data employees have access to in the regular IT environment, organisations can begin to formulate a security policy in line with business operations. Here are security questions organisations should ask themselves when moving to private IaaS cloud.

What are your security and privacy requirements? What are the industry or government regulations to which your organisation must adhere?

How will you classify data and who owns it? This task might be given to a designated person in each department, who then can also give other individuals access to the data as they see fit.

Who has access to what? This includes managing authorisations, including employees who may need to gain access to additional privileges.

How will you add or remove users? This is essential for when new hires come on board or employees leave. Also keep in mind how quickly you want to be able to remove a user.

What web sites can be accessed? And how can users access blocked web sites they might need?

What data do you want to protect from other internal users? For instance, pay information is usually walled off from all other departments and users.

How will you monitor data and activity? This is crucial to watch for changes made to data, compliance with SLAs and for when it comes time to do data audits.

A good cloud services provider will guide you through your security process policy so that it matches up with your technical security requirements. Stay tuned for Part II where we delve into the technical security piece of your cloud.