Maksim Kabakou - Fotolia
Security Think Tank: When will they ever learn?
Security learning is a career-long process, so as 2021 draws to a close, participants in the Computer Weekly Security Think Tank sum up the most important cyber lessons they’ve taken away from the past 12 months
Having worked at the sharp end of the cyber security industry for over 20 years, conventional wisdom suggests that we should have learnt lessons and come a long way in protecting our businesses, assets and critical national infrastructure (CNI). The truth is that while we have made great progress, cyber criminals are still one step ahead and too many companies make it easy for them by not doing the basics. This includes patching, multifactor authentication, segmentation, network hardening, and more.
So, while 2021 has been unique and challenging in many ways, it has also been depressingly familiar. Our penetration testing and red teaming exercises discover the same issues and vulnerabilities time after time. Many organisations that are sold a promise and invest hundreds of thousands of pounds in new cyber security technology are often left with a false sense of security. In reality, very few companies enjoy the levels of protection they think they have.
Cyber security has always been and remains a business problem first and foremost, rather than a technology one. It’s about having the security dial in the right place in the context of the business’s needs and risk appetite. To do this, business leaders first need to understand the risks and the value of their data assets to attackers to make informed decisions and justify investment in the right places.
But for many companies, it takes the hardest lesson of all – when they get attacked – to wake up, respond and take action. And it can be drastic. Companies hit by ransomware attacks – whatever their size – face a crisis that can be extremely costly, time-consuming and mentally exhausting.
It’s far better to learn from others and be proactive rather than reactive. And there are positive signs with a move away from the traditional checkbox approach to security to more outcomes-based security. This is where regulators and authorities define the desired outcomes rather than simply prescribing measures to get there.
It’s the difference between being told you need a 6ft fence to being told you need to do whatever it takes to keep people out. This change is being driven by regulator schemes such as CBEST in banking and financial services and similar initiatives in other industries, such as telecoms, aviation and energy.
What other lessons have we learnt in the past 12 months? A life-long lesson is that we know if you give in to bullies, they will keep coming back. The same is true for ransomware criminals. The only way they will stop is to stop paying them and work harder to shut them down. This will need the full support of the industry, governments and law enforcement around the world, but until these things happen, we will face more attacks.
The final lesson learnt is one of history and politics. Having lived and worked through the ups and downs of the global posturing and manoeuvring of nation states, combined with economic, financial and natural forces at play, it is clear that we are facing a period of global instability. And history tells us that this will inevitably manifest itself in increased state-sponsored and criminal cyber attacks.
You could say that in the last 12 months, everything has changed but nothing has changed. But our industry continues to rise to the challenge, despite continued skills shortages and a constantly changing threat landscape. The end-of-year report could read: “Performed well, but still more work to do.”
Security Think Tank Christmas special: 2021 in cyber
- Redseal’s Mike Lloyd reflects on how ‘anti-human’ approaches to aspects of security, particularly programming languages, are setting us up for problems.
- PA Consulting’s Cate Pye says security teams need to focus more on people, processes and systems, if they are to ward off cyber attacks in the ‘new normal’.
- The infamous SolarWinds attack may have technically happened in 2020, but it ensured that in 2021, supply chain attacks were top of everyone’s agenda, as Airbus Cyber security’s Paddy Francis reflects.
- The biggest issues faced by IT teams this year ultimately boil down to a lack of appropriate resources and documentation, argues Petra Wenham of the BCS.
- Despite nearly two years of remote working, there’s still much to be done to secure the hybrid workforce, says Jack Chapman of Egress.
- Chris Cooper of the ISACA reflects on a disastrous phishing simulation, and argues we’re not doing enough to get the security message across.
- Assessing your organisation’s risk exposure, and getting intimately familiar with the threat landscape you face, should be top of mind for CISOs after a tumultuous 2021, says Turnkey Consulting’s Andrew Morris.