By John Safa – Pushfor Founder and CTO
Anyone working in or around the cybersecurity industry is all too familiar with the glut of new year predictions that start surfacing before the seasonal holidays. Like most, I take the majority of these with a pinch of salt as they are often nothing more than a re-hash of the predictions from the year before. This in itself should tell us something, namely that there is little real change when it comes data security year on year. Sure, the threats evolve but are they new ones? Upon closer examination, they are usually just variations of the same old, same old. After all, is it not the case that SQL injection exploits, cross-site scripting, credential reuse, session hijacking and denial of service attacks continue to plague business week in, week out? Even those stories we read about how bad hackers are implementing artificial intelligence in their attack methodologies are really just revealing that criminals are automating as much of the threat process as possible, not that the threat processes themselves are new ones.
What did I discover from reading a bunch of those predictive reports, apart from an overwhelming impression that Mystic Meg has started a new career in the cybersecurity industry? Well, I was shocked, shocked I tell you, to learn that the cybersecurity skills gap will remain a pain-point for the enterprise throughout 2019; that email phishing will remain the primary threat vector for attackers looking to gain entry to enterprise networks and that the threat landscape itself will become even busier as more unskilled hackers leverage easier to access tools against an ever-expanding attack surface. If threat hackers are becoming less skilful, precisely because they are using more sophisticated tools and services that are becoming available to them, why not become more skilful in the security and privacy choices we make within the enterprise?
One report, which shall remain nameless in order to protect the guilty, even suggested that training non-security staff in incident response was the answer to the aforementioned skills gap. If skilled security staff are lacking, instead of training other staff in how to best react to security incidents why not use better tools that help mitigate the security risk in the first place? Sure, staff awareness is an important piece of the security puzzle, but it can only help build a partial picture. Am I the only person to see that the Chief Information Security Officer isn’t wearing new clothes but is, in fact, stark naked? I can’t be alone in wanting to slap the c-suite around the face with a gauntlet bearing the words embroidered large: CHANGE. YOUR. MINDSET.
Seriously, if the hack and leak mess that German politicians are dealing with right now isn’t enough to make the enterprise stop and think about information sharing and data storage in a new light then I fear all hope is lost. That one incident, with all the political and economic fallout potential it provides, demonstrates all that is wrong with current security thinking. What could well become the biggest leak of personal information and sensitive communications in German history so far, holds up a mirror in which the enterprise threatscape is reflected.
Let’s focus just on email shall we, as that has been at the core of the German leak; not only does it represent a primary incursion point for cyber criminals and nation states alike, but it also holds the key to dismantling reputations and business plans with the dissemination of just a few poorly chosen ‘confidential’ communications should they be made public. The knee-jerk response is to shore up our problematical email systems with one security solution after another. Yet if you step back and think afresh then you’d surely say, ‘if email is so problematic then why not replace it with something more secure?’ The history of technology has taught us, figuratively speaking, that something thought of as irreplaceable today won’t necessarily still be here tomorrow. If insecure-by-design email can’t protect the privacy of your business communications, then move to secure messaging services that were built from the get-go to do just that.
Forever adding layers of complexity to archaic systems, and most worthy encryption solutions are as user friendly for the average employee as email is a new and exciting technological advance, only makes matters worse. Part of the changing mindset I’m talking about must be an understanding that complexity kills security and keeping it simple really isn’t stupid at all. Unless those in the c-suite can step back from the abyss and start applying some of the logical business thinking that presumably got them into the boardroom in the first place, organisations will remain in a security Groundhog Day scenario where the same exploits repeat themselves over and over ad infinitum…