With regulators asking communications service providers (CSPs) to do more to protect their own and their customers’ data, business technology journalist Antony Savvas looks at some of the battle areas they need to cover.
After a major US oil pipeline was crippled by ransomware last year, US president Joe Biden said major providers had to do more to protect critical national infrastructure, and that included communications infrastructure.
He issued an executive order that mandated providers to adopt a “zero trust” approach to network security. And after the recent sustained telecoms outage in Canada, which was the result of a network upgrade that went wrong, the Canadian government is demanding that operators there do more to build better resilience into their networks.
In addition, governments in Europe and elsewhere are introducing regulations that demand that CSPs build better protection into their networks, and have warned of big financial penalties if they don’t.
I recently attended the ISACA data security and compliance conference in Rome, to gauge the feelings of the professionals when it came to the state-of-play in securing industry networks, and it wasn’t exactly pleasant hearing.
ISACA is the global membership organisation for those working in IT governance and compliance, with 162,000 members. They are often the ones at the coal face when a major data breach happens, working with CIOs (chief information officers) and other senior execs to put things right technically and legally. They do, of course, also do their best to try and prevent breaches happening in the first place.
Security vendors
Security risk and compliance consultant, Richard Hollis proffered a worrying critique of the security provider market to delegates though.
Hollis said: “We’re not doing well, as an industry we’re failing, it’s 30 years down the road since the first worm was discovered. At the recent World Economic Forum, three of the top 10 greatest threats discussed were attributed to our industry, after 30 years of us trying!
“As an American, you know things are bad when the government steps in, because that’s when an industry is failing. It did it with the car industry, for instance, as it wasn’t putting $2 seatbelts in cars or fitting shatter-proof glass, along with other safety measures.
“And [referring to legislative moves being made by the Biden administration] the government is now making moves on ours. Just look at the breach numbers…we’re losing 18 million records a day. We know that from the mandatory reporting, but what’s actually reported is only a small part of what is lost.
“We’re spending more and more on cyber security and we’re losing more and more data, it doesn’t make sense to me. We’re caught in a cycle of failure.”
If CSPs are simply relying on their security vendors to help them, Hollis firmly rejected that hope.
“Our cyber security products don’t work. They are reactive when they should be proactive, but they never have been. They’ve never been as clever as the attackers who set the game. The vendors are giving us knives to take part in a gun fight.
“There is too much hype and FUD (fear, uncertainty and doubt) and it clouds our judgement, which it is designed to do, instead of us doing things that prioritise our business.
“Vendors profit from the insecurity of computing, their sales go up after every major breach. The products don’t work, but they make more money. They treat the symptoms but not the problem. Preventing breaches, that’s when they should make money.”
On accountability, Hollis said: “In any other business, if it doesn’t work, you send it back, just like you would with a flat screen TV that doesn’t work.
“All the product vendor leaders of our industry have been hacked themselves they are not shepherds, they are just sheep, like the rest of us.” He stressed organisations should ask for their money back if security products did not work.
The ISPs
Hollis also criticised the providers of internet services. “Why aren’t they part of the discussion too. They see the malware travelling to your business and do nothing. They see the source and the target. They’re like a big night club, they’re the door men but they don’t keep the bad guys out, and those guys are hurting everyone else in the club.
“Why don’t we complain to our ISPs? They sell bandwidth but don’t make any money out of security, but they could, if we asked for it. All major ISPs have been breached in the last 18 months.”
Hollis added that those using security services had failed. He said that firms were supposed to have a strategy to use their security spending to protect people, processes and technology, but were spending most of it to just protect their technology.
“How about the duty of care to protect people, they are not just 1s and 0s?,” said Hollis.
Zero trust
The conference heard a lot about zero trust, as mandated by the US president. Zero trust eliminates implicit trust from IT systems and assumes that every user and every PC and gadget on the network is a threat to data security. It treats all data traffic as untrusted, requiring strict identity verification for every user, device and process before granting any permissions.
Such an approach acknowledges that the biggest threats to security can come from lateral movement within a network, so if something untoward is detected on the network it has to be stopped and quarantined there and then. Companies that realise this are adopting zero trust network access (ZTNA) systems.
Network segmentation
As a first step to adopting ZTNA, organisations should move towards network segmentation. This is the practice of dividing networks into different logical segments and having complete control of the traffic going through and between those segments. It is designed to reduce the attack surface, preventing threats from spreading laterally throughout an organisation.
To do this, businesses need a full view of all networks within the organisation. You must have visibility into the network, application, workload and process levels, as well as a view into multi-cloud or on-premise data centres where data assets are distributed across all geographies.
Matt Chiodi, is on ISACA’s digital trust advisory board. He says of ZTNA: “It is estimated that over 70% of companies have started planning for ZTNA, and I think that is probably accurate, but IBM says there is only ‘low-level maturity’ across companies when it comes to the technology, and it’s right most organisations are very early in their take-up.”
Chiodi warns, however, that it isn’t just technology that is needed to protect apps and data, it is also policy. He says IT governance, audit and compliance specialists must insist on better security policies with the full backing of their boards.
ISACA is currently readying its new Digital Trust Framework. Chiodi said: “Validations need to be done and proved, which our framework will help with. By combining ZTNA, for instance, and working to a framework, companies will see costs related to any data breach coming down.”
Cyber insurance
Rolf von Roessing, a key ISACA developer on that framework’s working group, said spiralling cyber insurance costs were a problem across industries in response to wider and more serious cyber security threats.
He said: “The framework will provide tools for our members’ work and any organisations working to it could potentially see their cyber insurance costs better controlled.”
He added that if companies properly assessed their systems against the advice and recommendations made in the forthcoming framework, they would be better protected against “moral hazard”, for instance, and could instead be offered “fairer” insurance premiums.
The Digital Trust Framework is currently in draft, but it is expected to be publicly available by the end of this year.
The author is Antony Savvas, a global freelance business technology journalist.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus”
