"Sometimes the questions are complicated but the answers are simple". This is what Dr Seuss said and it's something former Telstra CISO, Mike Burgess, discussed during his opening keynote address at the Emerging Cyber Threats summit held in Sydney on 7 and 8 June 2017.
Technology, he said, has delivered lots of benefits to our society. But many of those benefits were completely unanticipated. He likened this to the introduction of electricity to our cities. The initial business case was the replacement of gas street lighting. At the time, the far greater potential was not yet conceived, much less realised.
Connectivity is the same he said. "We are at the start but it's not surprising that it is being used for criminal activity".
The pace, scale and scope of threats is already big, he said. This means hackers always at an advantage. And the exposure of nation-state tools and potent capability by Wikileaks and Shadow Brokers puts a lot of power in the hands of hackers. The tools of nation-state attackers are now in the hands of criminal gangs and anyone with a few hundred dollars and the ability to navigate the dark web.
"Once someone is in, what they do next is a question of their intent," he said.
Burgess referred to the recent WannaCry ransomware attack - something several presenters at the event called on when discussing emerging threats. But Burgess was somewhat critical of those calling WannaCry a wakeup call. He suggested that if you weren't awake to ransomware as serious threat that you were not doing your job as a security professional.
While "what to do about ransomware?" seems like a complicated question, Burgess says the answer is simple. Patching systems and maintaining tested, offline backups mitigates against the damage of a ransomware attack.
It's a simple answer to a complicated question.
One of the problems, said Burgess, is that we get distracted by a lot of hype. Security incidents are foreseeable events and we need to get away from complicated jargon and a compliance focus.
"Some of the most compliant organisations are the most hackable," he said.
The focus, he said, must be on business leaders, and not just IT, identifying the right risks and putting together a response plan.
"In a crisis, it's a team sport".
The starting point, according to Burgess, is knowing what data you have. Before you can have a strategic discussion about information security with your board you need to answer five simple questions.
- Do you know the value of your data, not just in a financial sense, but operationally?
- Who has access in the company and supply chain?
- Where is your data? This covers on-premises, cloud, and mobile devices.
- Who is protecting your data?
- How well is your data is protected and would you know if you're breached?
Sign up for CIO Asia eNewsletters.