I remember playing hide and seek with the kids when they were small. I used to make this bad joke where I’d tell them to cover their eyes when hiding, because “if you can’t see them, then they can’t see you.”
Of course they would tell me how silly I was and go off and hide in unimaginably small places around the house.
Even the youngest of kids knows instinctively that this idea makes no sense. When it comes to cyber-security, however, it seems for the last decade that we have been collectively sitting in the corner in full view, with our hands over our eyes. Meanwhile the bad guys have been honing their technology and having the run of house, with terrible and high-profile consequences. Fortunately, attitudes appear to be changing at last.
When eir performed in-depth customer research in 2015, what quickly became clear was that information security had become one of the top investment priorities for our enterprise and government customers.
When asked about areas where they were most likely to invest, across all sizes of Irish companies and government organisations, there was no segment where respondents didn’t list information security in their top three priorities. In fact, many customers listed it as their top priority.
Yet at the same time, it became clear that while Irish boardrooms were turning their attention and risk management activities towards the security of their IT systems and networks, there was a lack of understanding about how to proceed. Our research found that two thirds of all businesses do not feel adequately protected from an IT and network security perspective.
Nothing makes a business leader more nervous than a clear sense of an impending threat, and an unclear sense about how to respond. Although we are starting to move beyond the “hear no evil, see no evil” approach, the next job at hand is to figure out what should be done about it.
Stealthy malware can still leave network footprints
We thought hard about whether we could help in a meaningful way. Do organisations with networking and communications as their heritage, such as eir, have a role to play in the security space? We found the answer is yes, and it’s because of the growing sophistication of the malware.
Perimeter security is still the bread and butter of most security solutions. It used to be the case that if you locked down the hatches at the perimeter to the network, you felt you could sleep comfortably at night. It is now generally accepted however, that traditional perimeter security, whilst still absolutely necessary, is no longer sufficient to minimise security risk.
The new mantra is not if you will be breached, but when.
As malware becomes better at hiding its footprints within the IT realm, it must traverse the network, where inevitably evidence of such breaches will still be present.
A troubling trend in the development of malware is stealth. Not only can malicious software be launched into a victim’s network from a distance by a remote attacker, it can also erase log files and otherwise hide its footprints, frustrating attempts to detect or investigate incidents.
But the network doesn’t lie, and signs that an attack is occurring or has occurred are often only detectable at the network level. In order to achieve its objectives, ultimately malware needs to use the network for a variety of purposes, such as remote command and control, exfiltration of data or just to snoop around. In this sense, there really is nowhere for it to hide.
As providers of that gateway, an organisation’s communications and networking partner is uniquely positioned to understand network threats, and to monitor for the suspicious network traffic patterns that can indicate breaches.
And breaches do occur. No one disputes that perimeter defences need to be as strong as they can be. But the prevalence of high-profile hacks means organisations must have a plan of defence that assumes a breach will happen, and that takes action to track, limit and stop interlopers if they do penetrate the perimeter.
Irish organisations who feel the need for improved defence but are unsure of how to proceed should begin by talking to their communications provider: can the provider help shore up security of their perimeter, while also monitoring the network for traffic patterns that could reveal an attack is in process? An essential starting point is to regularly test your external and internal network for vulnerabilities and weakness to penetration. Good service providers will have these on offer.
The service imperative: moving beyond technology
The good news is that more Irish organisations are moving to improve their security posture. The bad news is that a service gap is now obvious.
That sinking feeling in the boardroom that perhaps the organisation isn’t doing enough to protect its information is often justified, where they have invested in security protection but left it unmanaged.
In our experience, it’s not at all uncommon for enterprises to adopt solutions such as Intrusion Detection and Protection Systems, or Security Incident and Event Management, only to then leave the system in place without oversight or maintenance. Once critical alerts are ignored, or licences are allowed to lapse (and licence lapses do occur with alarming frequency), the intrusion protection device is little more than a dust collector, giving an illusion of security that may even be more dangerous than the total vulnerability of an unprotected organisation.
These fears are possibly compounded by a real human consideration: Surely I can’t be held accountable for something of which I was unaware? Unfortunately for those of that mindset, new legislation under the banner of the EU’s General Data Protection Regulation will hold firms much more strictly accountable for data breaches, and positions of plausible deniability will no longer hold water.
It’s true that, to date, there may have been more questions than answers for Irish organisations seeking truly enterprise-grade information security protection. But at last boardrooms are no longer hiding from the problem. Many have their eyes wide open and are seeking those answers, which can only be a good thing for employees, customers and the public.
Brian Martin is Head of Strategy and Planning at eir Business and responsible for development of its information security portfolio. For more information about eir's suite of expanded security services, contact firstname.lastname@example.org. If you would like to read more blog posts about security issues visit the eir Business blog.