32,999 feet, 624 mph, -73˚F and 97 miles from Bakers Lake… that is one place in the world that does not have an information security problem because it does not have the Internet. It might be the only place on this earth where your data is safe.
Truth be told, it probably does have the Internet, which underlines the fact that data risk has nothing to do with geography and everything to do with the motivation of cybercriminals.
The war for your data continues in 2016. It’s going to require MSPs and IT admins to be on their “A” game, as the focus is going to shift from “D” for defence to “D” for detection. Also required is a better understanding of breach risk and where data requiring protection exists in the network.
As an industry we used to obsess about the “who” – as in who was responsible – when it came to security incidents. However, if you are a fan of mine you’ll know I’m of the opinion that it does not matter – a breach is a breach. It’s bad news when the data is in someone else’s hands and there is a really good chance they have been in your network for some time – on an average that time is just over 200 days. This is why the focus needs to be on detection and the only way to do detection is to have multiple layers of security.
Do we even care “how” the breach happened any more? That’s a good question. In the SME world of flat networks, most of the time we know the “how” – it was a link or an attachment and it probably arrived via email. I’m impressed when I find out it was some IoT with a default password that was not even changed at installation – installation with default settings are still a problem. In fact, if you are doing that, please stop reading my stuff because clearly you’re not getting it. Change the damned default password and vow never again to be so naive.
For the rest of us, it’s probably an outdated version of Adobe Flash, or maybe even Silverlight, that let the bad guys inside. So, next time patch faster. Now that we have gotten rid of the readers that don’t understand the layered defence of cyber security and subscribe to the channel of blaming the antivirus for every catastrophe security incident, it’s time for the big take away of 2016. Seriously, I can’t stress this enough: you’re going to fail if you don’t get a grip on the layered defence.
Layers of defence give you strength in depth
The narrative for 2016 is about convincing your customers or your business to deploy layers of defence that stretch well beyond the realm of antivirus. You need to implement reactive, proactive, and detective technologies to have a chance against the next generation of malware that is going to attack your networks. We have the technology at your fingertips, so why are we still struggling with the deployment?
There are two problems her: justification of layers; and the demonstration of value.
Let’s tackle those one at a time:
Justification of Layers
Continued information security reporting has been relentless and should be viewed as helpful, but relying on this as the marketing plan for your customers is fraught with peril. Too many of the reports focus on the “who” – shadowy hackers working in countries far away – and not enough on how the attack took place. More specifically, what defensive measure failed.
The key to “sales” of security layers is to identify the costs of downtime and remediation efforts related to a security failure. Articulating the business value of removing Flash (or patching Flash weekly) to prevent ransomware outbreaks (or worse) is key. Getting lost in the breach rhetoric as it relates to large multi-nationals will not result in quick adoption by SME customers.
Demonstration of Value
This MSP and IT Admin “monster” has been consistently the nemesis of proactive IT services. Without tangible evidence in the hands of your customers, the business model of “we do all our work behind the scenes” slips into “what do the IT folks even do for us, we never have any problems.” This can eventually lead to customer churn as the MSP or IT Admin is “taken for granted.” Security layers, more specifically the reporting provided by those layers, can help immensely in demonstrating ongoing value.
Patches deployed (especially for those pieces of software frequently targeted by malware), Malware detected and removed, Malicious websites blocked, and successful daily backups are all extremely important reports that need to make in into the hands of your customers. When you add a weekly scan report from a vulnerability scanner that identifies new risks or the presence of unsecured information (such as database dumps), you not only demonstrate ongoing vigilance, but a commitment to the customer, or business security.
Viewing layered security through the lens of demonstrating value, becomes the key performance indicator for measuring your own success in keeping the customer’s business safe. With layers in place, the chances of a breach are significantly reduced. However, layers like everything else in IT require constant monitoring as new threats and challenges are constantly encountered in the online world.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA, CPM, BA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.