tashatuvango - Fotolia

Is it time to stop blaming organisations for being breached?

The IT security industry needs to look at itself and its practices before blaming organisations that have been hit by cyber attacks

Another week, another data breach. It seems to be so common now that organisation after organisation is getting breached in one way or another. With that comes a myriad of security “experts” jumping on the media bandwagon and offering their insights.

Well, I say “insights” – in the main it’s jumping to conclusions or sharing news articles with no opinion offered whatsoever.

And so, LinkedIn timelines fill up, everyone shakes their head, some people get five minutes of exposure and in time the breach dies down and another week rolls by and another breach occurs.

We can all point fingers and speculate as to the seemingly isolated root cause, like patching, all the while ignoring the elephant in the room – and, by the way, I cannot think of a single breach that was caused by patching in isolation. It is never one thing, but a compendium of issues across an organisation.

Back to the elephant. What strikes me from this conveyor belt of breaches is that many organisations have not got a clue what they are doing, or if they do are not able to enact it.

We are seeing catalogues of bad practice, be it a fundamental lack of policies and procedures, completely flat architectures, firewalls so loose they are effectively there to heat the datacentre, no access controls, monitoring, blatantly no incident response capabilities – the list goes on.

This isn’t one organisation, but many. Look at the sheer scale of these breaches, and how public they are. These don’t scream “nation state attacker”, but gaping holes.

Cyber nasties

Let’s think about the bad guy, or girl, for a second. The thing about a cyber nasty is they like the path of least resistance – the simplest way to achieve their desired outcome. Why? Because it is cheap and easy. Cheap equals a larger return, and easy, well, equals easy, which involves less investment and thus also a better return. 

Why use a zero-day attack – which costs a lot of money to discover and weaponise – when they can exploit a 10-year-old vulnerability? Why not walk through the front door you left wide open rather than tunnel under the organisation to break into the vault?

Attacks are getting more sophisticated. But if the vulnerability is older than the attacker, you can’t really call it a sophisticated attack
Ed Tucker

So, we have cyber nasties that like simplicity and organisations almost advertising a straight line to the pot of data gold. Data is the new currency so is it any surprise that we are seeing so many breaches, from major corporations to SMEs? It’s like everybody leaving all their doors and windows open, valuables on show, and wondering why people are being burgled.

That said, the suppliers are right and attacks are getting more and more sophisticated. But if the vulnerability is older than the attacker, you can’t really call it a sophisticated attack.

Technology is getting more sophisticated by the minute, so why wouldn’t attacks be more sophisticated? But it doesn’t mean attackers don’t like simple routes in, and that basic controls, cyber hygiene – whatever you call it – doesn’t reduce the risk significantly.

Not knowing the basics

The problem is that many organisations simply don’t know how to do the basics, or even why they should. Our industry always seems to deal with a 30,000-foot view rather than getting into the weeds to explain things properly. It is like a teacher telling a class they need to learn physics and then leaving the room never to be seen again. You wouldn’t expect children to learn that way, so why would we expect the security industry and organisations to magically learn the same way?

Security education is hard – it really is. But unless we start truly educating our peers and organisations then we shouldn’t really expect them to change and improve. We can get serious all we like, have awareness months, hashtag away to our hearts content, but the simple fact is we are not educating, and as a result not learning.

Security is supposed to be a team game, but the predominance is experts playing as individuals. It’s like watching an under-sevens’ rugby team where one kid does everything and the rest stand still gazing at their navels.

As an industry, security is lagging. Our business and IT colleagues are riding off into the technological sunset, while we stand still wondering why people aren’t patching, or lacking in awareness, or having firewalls so open that they should be replaced by a switch.

By the way, for your external firewall, anything beyond ports 25, 80 and 443 should be risk assessed and only opened if absolutely necessary for business operation. It is basics and still we are getting them wrong.

Chocolatey and Chef

I do wonder about the security industry. I wonder how many of my fellow professionals think a Chocolatey server is a vending machine, or that Chef is the Swedish chap from the Muppets. There is a wealth of technological opportunities to explore and the majority of the security industry is nowhere near ready to understand them let alone exploit them.

We cannot truly exploit these possibilities unless we understand how to build the basics into their use. And we cannot do that unless we understand why and how to do the basics well.

Read more about data breaches

I learned most of what I know from talking to people – learning from their mistakes, learning how they went about achieving an outcome, what the building blocks were and in what order. And then doing that in my own organisation – getting it wrong at times and learning from that. And then helping others to do the same.

I still ask hundreds of questions today and am constantly learning. Then you can move forward. Simple things like getting development teams to understand that adversaries are part of your user stories, like it or not. Getting them to think about how they could exploit the very thing they are building. You know what? They actually like that. It is interesting and helps them to deliver better outcomes for all of us.

Security experts should teach

Back to the crux of the matter. There used to be a marketing campaign in the UK aimed at getting people into teaching. It said, “Those who can, teach”. The same should ring true in security, except add the word “should” – those who can, should teach.

We are seeing ever-more significant ramifications for organisations who suffer breaches, and new legislation will drive that home. Equally, almost every organisation is going through a transformation. Both provide opportunity to make a difference and to help organisations get better.

You can build basics into your transformation activities and use that transformation to your advantage. Build security or data protection in from the start to make it truly transparent and complementary to the business outcome of that transformation. Make it repeatable too, but it is not going to happen without help.

The trouble is these organisations might well be in your supply chain, or a data processor. Either way, they are a potential route to you. That should be scary, and just asking them if they are GDPR compliant doesn’t cut the mustard.

We have recently acknowledged we should no longer blame the user, and that is right. However, until we actually start to educate, truly make security a team game and help organisations grow then should we blame the organisations either? It is patently obvious that most haven’t got a clue, are ignorant, or can’t enact positive security change.

There is help out there – like the amazing information the National Cyber Security Centre is pushing out – but it is scarce, and there is so much nonsensical noise out there, be it “helicopter views”, finger pointing, or a media more obsessed with hackable sex robots than being a platform for education. Much like threat intelligence, we need to find the high-fidelity information and champion that.

Until we do, I wonder whether we should blame the organisations either.

Read more on Security policy and user awareness