This is what Dr Seuss said and it’s something former Telstra CISO discussed during his opening keynote address at the Emerging Cyber Threats summit held in Sydney on 7 and 8 June 2017.
Technology, he said, has delivered lots of benefits to our society. But many of those benefits were completely unanticipated. He likened this to the introduction of electricity to our cities. The initial business case was the replacement of gas street lighting. At the time, the far greater potential was not yet conceived, much less realised.
Connectivity is the same he said. “We are at the start but it's not surprising that it is being used for criminal activity”.
The pace, scale and scope of threats is already big, he said. This means hackers always at an advantage. And the exposure of nation-state tools and potent capability by Wikileaks and Shadow Brokers puts a lot of power in the hands of hackers. The tools of nation-state attackers are now in the hands of criminal gangs and anyone with a few hundred dollars and the ability to navigate the dark web.
“Once someone is in, what they do next is a question of their intent,” he said.
Burgess referred to the recent WannaCry ransomware attack – something several presenters at the event called on when discussing emerging threats. But Burgess was somewhat critical of those calling WannaCry a wakeup call. He suggested that if you weren’t awake to ransomware as serious threat that you were not doing your job as a security professional.
While “what to do about ransomware?” seems like a complicated question, Burgess says the answer is simple. Patching systems and maintaining tested, offline backups mitigates against the damage of a ransomware attack.
It’s a simple answer to a complicated question.
One of the problems, said Burgess, is that we get distracted by a lot of hype. Security incidents are foreseeable events and we need to get away from complicated jargon and a compliance focus.
“Some of the most compliant organisations are the most hackable,” he said.
The focus, he said, must be on business leaders, and not just IT, identifying the right risks and putting together a response plan.
“In a crisis, it’s a team sport”.
The starting point, according to Burgess, is knowing what data you have. Before you can have a strategic discussion about information security with your board you need to answer five simple questions.
- Do you know the value of your data, not just in a financial sense, but operationally?
- Who has access in the company and supply chain?
- Where is your data? This covers on-premises, cloud, and mobile devices.
- Who is protecting your data?
- How well is your data is protected and would you know if you’re breached?
Armed with these answers, you can approach your board and senior management with the ability to address the risks in their language.
While the government is moving forward with a number of important initiatives and is in the throes of updating the cybersecurity strategy that was released just over a year ago, Burgess said businesses need to get on the front foot and not wait for Canberra to take the lead.
Burgess said the ASD’s Essential Eight security recommendations are required reading and, if implemented, will go a long way to mitigating many of the cyber risks of today.
With over 80% of the country’s economy in their hands, Burgess said more effort needs to be made to support SMBs when it comes to cybersecurity. It’s important to keep the messages simple and use ongoing and regular communication.
While larger enterprises can dedicate resources to information security, government has a larger role to play in supporting this sector.