While cybersecurity is becoming our greatest threat, complexity is acting as a massive risk amplifier. Indeed, for many IT leaders, CIOs and CISOs addressing complexity can be even more of a challenge than addressing the actual cyber threats, explains Bill Mew.​

As we discussed in a recent expert debate on ‘The Digital HQ: How to Effectively Run Your Business in 2022‘, we need to address both cybersecurity and complexity at the same time; with security built in at all levels (from the hardware up) and with enhanced manageability enabling us to overcome the rising complexity.​

The problem is that complexity is widespread and, if anything, it is getting worse in many key areas:​

Cloud complexity:​

Many organizations have long-held digital transformation ambitions, based on strategic plans to migrate their workloads to the cloud. Whereas, once it was ‘do we want to migrate to the cloud?’, it soon became ‘in what order should we migrate workloads?’ And then for many during the pandemic it became ‘how quickly can we migrate them’ as the need to enable working from home accelerated their move to the cloud. Further complicating matters is the need to support legacy systems, many of which cannot be moved to the cloud easily or at all. There is typically also an array of SaaS applications, a proliferation of shadow IT instances, and particular workloads that are tied to different cloud providers, resulting in a hybrid multi-cloud reality that CIO’s have little choice but to deal with.​

Compliance complexity:​

At the same time compliance teams are currently facing numerous headwinds at all levels. Increasing compliance challenges are even hitting regulated industries, such as the financial services sector, which is already used to a significant burden of compliance, from Anti-Money Laundering (AML) and Know your Customer (KYC) to data privacy and MiFID (Markets in Financial Instruments Directive). A divergence of sometimes conflicting regional data sharing regulations has created a patchwork of data islands. Data sharing across the Atlantic has been impacted by the demise of Privacy Shield and across the English Channel it has been impacted by new trade processes as a consequence of Brexit. Add to this the various data sovereignty and data residency regulations emerging in various countries, as well as on a state by state basis across the US, and firms are facing an ever more complex compliance landscape. On top of this there is now the need to comply with a fresh wave of sanction requirements that are changing frequently. Thus, it is evident that compliance has become an almost impossibly complex task. Indeed, most organizations are now believed not to be fully GDPR compliant and many could well be falling short in other areas as well.

Cybersecurity complexity:​

If anything, the cloud and compliance challenges are dwarfed by the challenges that It leaders, CIOs and CISOs face in dealing with the rapidly increasing volume and sophistication of cyber attacks. ​

We are in an AI-powered cyber arms race, where black and white hats are battling to be the first to uncover vulnerabilities that they can either exploit or patch, but the black hats only need to be lucky occasionally while the white ones have to be lucky all the time. And if the rising volume of ransomware attacks and severity of supply chain attacks were not enough, IT leaders, CIOs and CISOs were forced to accelerate cloud migration plans during the pandemic with remote access creating additional vulnerabilities. And the worsening geopolitical situation means that in addition to opportunistic cybercriminals, they may also face well-resourced and highly-skilled state actors as well. Unfortunately, a proliferation of poorly integrated point products and security solutions mean that the management and interoperability of their cyber tools is often as much of a challenge as dealing with the cyber threats themselves.​

Countering the threats while overcoming the complexity​

Addressing the myriad of challenges will require a multi-layered approach with integrated and automated tools to help overcome the overall level of complexity.​

• Multi-layered: there is no silver bullet or single all-encompassing solution. You need hardware-based security and remote manageability baked in from the ground up, and this starts with the processor – those supporting Intel’s vPro platform incorporates both. Instead of focusing simply on a protective perimeter, multi-layered security provides ‘defence-in-depth’ with a ‘Zero Trust’ approach. While traditional security only really protects against known threats and known attack vectors, a multi-layered approach can also:​
• protect and guard against upcoming or increasing polymorphic malware​
• provide protection from an attack that comes through email attachments, files, adware, links, apps, and more​
• counter the potential threat from insiders and rogue administrators as well as from external actors (including those in the supply chain)​
• provide DNS-level security to safeguard against threats arising at the network level.​
• Integrated: rather than needing to develop skills for multiple point solutions, each with different implementation and management requirements and each with a different dashboard, CIOs need solutions that are not only reliable, but that can be managed via secure APIs from central management consoles to provide the desired ‘single pane of glass’. Again, Intel’s vPro platform and other leading security solutions provide this level of interoperability. As more vendors adopt such interoperability, APIs will enable IT and security teams to manage operations centrally from a dashboard of their choice, whichever is best for their business.​
• Automated: even with centralized dashboards though, the volume of attacks is making it impossible for security teams to manage threats in real time without a level of sophisticated automation. Such automation tools need not only to be finely tuned but must also include situational intelligence. For Security Operation Center (SOC) teams, ‘false positives’ are one of the biggest pain points, with too much time and effort often spent chasing security alerts that incorrectly indicate a vulnerability where none exists. ​

Automation can also have many other advantages – such as dealing with the dull and difficult, but nevertheless essential, tasks like backups or patch management. This can be a real challenge when dealing with a geographically dispersed array of devices. Ideally, you’d want to automate patch and update controls remotely. Unfortunately, this kind of remote management is only really possible if you have invested in devices that incorporate Intel’s vPro platform. ​Having Intel Hardware Shield built-in, allows such devices to deliver one of the highest levels of hardware, software, and data protection right out of the box. Not only does it minimize the risk of malware injection by locking down memory in the BIOS when software is running, but it also helps to prevent planted malware from compromising the OS. You also get a secure boot, allowing your PCs to launch into a trusted state.

With a war for talent and cyber skills in short supply, securing scarce resources only to waste them all with unnecessary complexity is no longer viable. However, with complexity increasing on so many fronts, expecting to overcome it without actively seeking to adopt fully integrated and automated tools, is somewhat unrealistic – just as addressing the cyber threat landscape is equally unrealistic without a multi-layered cybersecurity approach. Focusing on doing both together could well be the only viable option.​

Extortionists like multiple levers

In my last blog, I wrote about the perils of data growth and the increased ‘attack surface’ it presents, which was part of a wider message on data and sustainability. Here, I’m digging into the security aspect of data growth, how it relates to cyber-attacks and especially to ransomware.

Let’s start with the mind of the attacker. The more hooks they have you on, the more likely you are to pay. Even now, organisations (commercial & public sector) are still falling victim to ransomware without a reliable cyber-recovery strategy. If your attacker infiltrates your organisation undetected for months, not only can they encrypt your data, but they can also extract it. This is an increasing problem, known as leakware, or double extortion.

The idea behind leakware is that in addition to encrypting your data, the attackers will also make exfiltrated sensitive data publicly available. The idea is to scare you into paying the ransom not just to get back access to your encrypted data, but also to avoid regulatory fines and/or lawsuits. Both can be eye-watering in scale, and despite the headlines GDPR isn’t the scary one here – class action suits could cost many times more¹. There’s also the addition of brand-damage which can really hurt you depending on the sector you operate in. Leaked legal, financial, or medical records are particularly devastating, and research indicates that a data breach in a small or medium business leads to closure of the company in up to 60% of cases².

Ransomware-as-a-Service doesn’t come with an SLA

The murky world of ransomware has a lot of variability. Ransomware-as-a-Service means you could be hit by an inexperienced hacker looking to make a fast buck, or a ‘professional’ criminal gang with capabilities that rival that of nation states.

So, on the upside they might be bluffing about having your data… but how can you tell for sure? If they offer you a sample or file names, ask to see everything. It’s easy to make copies and a professional gang can (somewhat ironically) give you a secure connection. They wont worry about storage costs either. This will also give you some time to check your security logs, and to engage a crisis/breach management specialist³.

Doh! They have our sensitive data!

‘Well, that’s just bad luck, isn’t it?’ Unfortunately, regulators and litigation lawyers will always see the answer to that as ‘no’. From un-patched firewalls and VPNs to unsecured cloud buckets, and rogue employees, it’s always the fault of the organisation, and it’s the organisation that ultimately pays up. Er, but…

• My data was encrypted! Encrypting data at a storage level doesn’t help if hackers have user-level access
• The user shouldn’t have had the breached data in the first place! Still your fault – training, access controls, data policy etc.
• It was the database admin that made an insecure copy. A control issue: DBAs should not have un-checked access that enables them to make unauthorised copies
• How can we pay that much??? Maybe you shouldn’t have collected personal data that you didn’t explicitly need, or held on to data for so long

Where (and when?) did you park your time machine?

Sadly, if you’re in a situation right now where leakware has led to a confirmed data breach, you have very few options. ‘What about my cyber-insurance?’ I hear you say. Before you rely on it (or buy it) I recommend you research it carefully – many experts question its impact and its value⁴.

If you operate in the EU, and personal data on EU citizens is compromised, you MUST report a data breach to the supervisor authority within 72 hours. The UK’s Data Protection Act 2018 is the same. Regulations in other countries vary but trying to keep a breach quiet will invariably get you into more trouble and will always lead to larger fines than ‘fessing up’. You also have a duty to your customers (and suppliers) to notify them so that they can take any necessary action to protect themselves – failures here will harm you in court if that’s where you end up.

Ultimately, for leakware to work the cyber criminals are relying on your integrity falling short. If it does and you pay the crooks, how can you be sure they will delete the copies they have? You really can’t.

Three steps you can take today to mitigate the risk of leakware:

• Have a security review. Employ some security specialists to assess your organisation and importantly, act on what they say
• Sort your data out. Data growth increases your attack surface (risk) and costs you lots of money. Profile your data and expire, secure and archive based on content and business policy. Automate it for the future or you’ll end up in the same state again
• Get a training program in place. Your users are a big risk factor, and they are also your eyes and ears. Training helps reduce risk and spot issues early

No security is fool proof, so in addition to these steps having a backup and disaster recovery system that is resilient to ransomware is also critical. Look for a zero-trust security model, immutable backups, and air-gapped cloud storage as a minimum. These won’t help with leakware but are essential components of any serious ransomware risk mitigation strategy.

As I said in my last blog, sorting out your data can save you buckets of money, enough to beef up your security and train your staff, with change to spare. I can’t see any boardroom turning that down.

Sources:

1: EasyJet example: DPA 2018 (GDPR) states that companies who fail to secure personal data can be fined up to 4% of their turnover – for EasyJet in 2019 it was a little over £6B; pre-pandemic law firm PGMBM planned to file an £18 billion class-action lawsuit for the same breach. While neither are likely to meet the headline figures, the company could end up paying out on both

2: 6 Potential Long-Term Impacts of a Data Breach, Security Intelligence, Nov 2021 https://securityintelligence.com/articles/long-term-impacts-security-breach/

3: Crisis management companies can provide forensic security services, expert IT support, legal help and reputational damage management – but don’t wait until you need one to research them

4: Cyber-Insurance Fuels Ransomware Payment Surge, security Threatpost, June 2021 https://threatpost.com/cyber-insurance-ransomware-payments/166580/

I caught up with Rupesh Chokshi, Vice President of AT&T Cybersecurity at AT&T Business, to get a preview of his two presentations for the upcoming 2021 AT&T Business “Business Summit” titled “Reinventing Reality”.

AT&T Business are hosting their annual Business Summit in a virtual format this year, on October 27th & 28th, 2021 in American Central Time (CT) time zone. Registration is free! There’s a link below to register.

Featured speakers this year include:

• Anne Chow, Chief Executive Officer of AT&T Business
• Indra Nooyi, former Chairman & CEO of PepsiCo
• Shaquille O’Neal, American basketball star & philanthropist
• note: there are more than 60 amazing sessions across the two days!

Rupesh is actually presenting two talks this year, which are titled:

The Age of Cybersecurity:

• Connecting and protecting your business in a digital world
• scheduled for October 28 at 11am CT

Cybersecurity and Edge Networking:

• Delivering the next level of enterprise protection
• scheduled for October 28 at 2pm CT

Without giving away too many secrets, which given his role is something he’s naturally good at, keeping secrets that is, what Rupesh was able to share both a taste of what we can look forward to at the event.

Rupesh also shared some very powerful insights into what Rupesh and his team within the AT&T Business “AT&T Cybersecurity” division offer their customers.

There is so much you’ll be able to take away from this fireside conversation in this episode of our podcast Conversations with Dez, both on the two talks Rupesh is presenting, but also broadly across the current trends and challenges organisations of all shapes and size are facing and how AT&T Cybersecurity are helping those organisations address those challenges.

A brief summary of what Rupesh and I discuss includes the following key topics:

Trends in Cyber Security

• Hybrid Work
• Multi-Cloud Adoption
• Security and Network Convergence
• 5G, IoT, and Edge
• Pervasive security fabric
• End-to-end protection of users
• Protection of devices, networks, apps, and data

AT&T’s vision for cybersecurity and edge

• Customer Edge – Software Defined, IoT Driven
• Network(s) – Intelligent, High Speed
• Cloud Ecosystem(s) – Multi-cloud, Distributed
• Embedded Pervasive Security Fabric – Customer Edge, Network
• End to end protection of users, devices, networks, applications & data
• Identity / Endpoint, Advanced 5G Security, CDN / DDoS
• Secure Access Service Edge ( SASE ), Extended Detection & Response
• Importance of the Culture of Cybersecurity
• Security is not an IT and technology issue, it’s a business issue
• Connected economy and business continuity being under threat
• Digital trust
• The Culture of Cybersecurity is a shared responsibility

New AT&T capabilities in the market

• Comprehensive view of security is key
• Successful adoption of SD-WAN
• Shifting focus to SASE
• Protecting endpoints with XDR solution

Example Use cases from IoT, Enterprise & Data Centres, Infrastructure & Healthcare

• Securing Industrial IoT
• Zero Trust access with security support for industrial systems
• Enabling the future of healthcare
• Resilient, low-latency network with centralised security management
• Protecting Your Company
• End-to-end protection of Devices, Networks and Data, Proactive remediation of Ransomware and DDoS

For the full conversation and so many amazing insights, and key actionable takeaways for any organisation facing the challenge of wrapping up the year that is 2021 and facing the unknowns of what the new year in 2022 will bring, you’ll want to push PLAY now, and tune into the full discussion.

Please register now for the AT&T Business Summit here => http://bizsummit.att.com

Add do make sure you add both of the talks Rupesh is presenting to your calendars, for both:

• 1st presentation is on October 28 at 11am CT
• 2nd presentation is on October 28 at 2pm CT

For more information about AT&T Cybersecurity, please visit: https://cybersecurity.att.com/

This podcast was made in partnership with AT&T Business.