There was a time when a crisis was a once-in-a-company-lifetime event that only happened to the unlucky. But today’s world is faster moving and more volatile than ever before.
The threat landscape we work in keeps changing and our adversaries are not constrained by international boundaries, or, in some cases, the secure borders we’ve constructed around our corporate networks. Crisis readiness is the new normal.
So, are the bad guys getting more sophisticated or are the issues we face the result of a numbers game, where we have thousands of assets to protect and threat actors only need to succeed once?
Sinisha Patkovic, the Vice President of BlackBerry’s Government Solutions team says “It is a bit of both. The number of connected endpoints is growing both outside and inside the enterprise, as is the number of interconnected data stores. Data workflow in one company can now span over dozens of vendors across continents and data centres and cloud applications to the handheld of another user”.
However, the security skills and strengths of each party in that information chain are different. And a relatively minor or obscure vulnerability in one product could be used by a skilled attacker to move laterally and exploit another.
“These nuances contribute to your corporate security posture and attack surface, for the better or worse. The more complex the structure of your corporate posture is, the harder it is to manage the security perimeter and ensure minimal ‘attack surface’” says Patkovic.
Many companies look to law enforcement agencies to assist with investigating and prosecuting threat actors. But there are challenges. Criminal gangs are no longer constrained by international borders so law enforcement agencies need pragmatic rules and better cooperation to thwart the actions of malicious parties. And, the emergence of IoT as a new threat vector further stretches the ability for law enforcement and governments to protect private citizens and businesses.
Patkovic says “We work closely with G20 governments on their mobile workflow security and secure communications. We also provide them with cybersecurity services to improve their cyber resilience. Australians have always been very progressive in their use of mobile technologies, and with our recent BlackBerry Cybersecurity Think Tank, this demonstrates the innovative thinking, creativity and openness to new techniques of cybersecurity, showcasing our commitment to bringing the next level of innovations to our customers”.
Patkovic says some government agencies may have fewer resources than their commercial counterparts. But he sees governments investing in cybersecurity capabilities such as cyber response and security awareness programs. Challenges remain as the dramatic pace of mobile and cloud driven transformation blurs the defence perimeters, making traditional security protection tools and techniques obsolete.
“We have seen that it is especially important for governments to hone in on their ability to protect national critical infrastructure, as well as sensitive and private government and citizen information,” Patkovic adds.
As governments and businesses improve their cyber-attack readiness and resilience, threat actors continue to develop their tools and capability, resulting in an arms race. But there is a way forward says Patkovic.
“Governments and businesses must use a systematic approach to secure their critical assets. This includes vetting vendors as well as the quality of their product security; vetting security in the supply chain; and leveraging trusted external cyber security services. Additionally, we have found that third parties often provide a unique perspective on complex problems and can help close gaps and minimise risks”.
Australian businesses will be subject to new mandatory breach notification laws in 2017. An unobvious value of data breach disclosure regulation is that it will help prevent similar attacks repeating within industry.
“The new notification laws will cause customers and markets to value cyber preparedness more than in the past. Organisations tend to not see an upside or incentive in reporting or talking publicly about security breaches and data leaks. Mandatory information sharing about breaches with a coordination body will allow for improvement of knowledge and readiness. Additionally, it will improve the overall cyber resilience of the industry,” he says.
One thing organizations can do, says Patkovic, is ensure systems are regularly patched and kept up to date. Many attacks take advantage of long-since patched bugs and flaws. While new classes of vulnerabilities are found by security experts, most of the threats still come from well-known types.
But IoT is a new threat vector as many devices do not have similar the same sorts of protections as traditional software, making standard vulnerabilities much easier to exploit.
One way to better secure systems is to make security a design priority early in the development lifecycle.
“As a company, we take a very serious approach to software development by including design of security early in the product life, and the quality assurance of security once it is implemented. We also employ security principles that help to contain attacks and minimise the risk even if there is a successful exploit of the vulnerability. We view this as a ‘defence in depth’. If you separate different compartments with security controls, you can use strong authentication and access controls at all levels of the system".
Of course, people remain a significant remain a critical element of every enterprise’s security strategy. Patkovic says that although security awareness training is critical we should not forget that human error is possible.
“Businesses must implement tools which will promptly intercept any errors and enforce security rules. The answer is in seamless security and usability. BlackBerry has accomplished this through BBM Enterprise and BlackBerry Workspaces, which ensures content remains secure and in your control every step of the way, even if it is downloaded outside of your organisation. It is easily integrated into other in-house products through Blackberry’s SDK”.
You can download BlackBerry’s report from the Think Tank event: "Is your organisation ready for a crisis?” from the Blackberry Enterprise Mobility Resource Centre.