Our Thinking | Intercity Technology

The road to ‘security hell’ Is it paved with good intentions?

Written by Che Smith | Jul 6, 2018 10:26:58 AM

One thing is certain - no business is safe from a cyber-attack. Most organisations will state that as we move to the midpoint of 2018, cybersecurity remains their number one priority. As organisations’ reliance on IT and digital increases, it feels that zig-zagging alongside are new threats appearing (on an almost daily basis) and as new security perimeters are constructed, attackers evolve their techniques.

Symantec states that it detected 357 million new variants of malware in 2016

The threat environment is constantly changing, the pace of change is accelerating, and the sophistication is increasing: it’s extremely difficult to keep up.

As I meander through different sectors and spend time with different organisations, I see that cybersecurity is a common problem. The pace of change in cybersecurity is so fast that it’s easy to feel like a kite in a hurricane and even easier to close your eyes and act like the proverbial ostrich. This got me thinking of the common mistakes that I hear time and time again. Welcome to my essay on the road to security hell.

It’s said that the road to 'security hell' is paved with good intentions. A common interpretation of this saying is that good intention, when acted upon, may have unintended consequences. Equally, individuals may intend to take good action but then fail to take any action at all. This is particularly relevant when looking at the world of cybersecurity.

I find that many organisations are in a state of “cyber-paralysis” owing to an ever-changing and complex environment. This inaction may be due to procrastination, laziness or confusion. Good intentions are meaningless unless the relevant actions are followed through.

Often those with good intentions believe that their practices are good for the organisation as a whole. In terms of security, staff may justify the collateral damage done to other IT projects because they believe that their security-based actions are for the greater good. For example, the Spanish Inquisition was established to eradicate heretics in religious states.

The harm done was obvious and acknowledged, but written off as a ‘price worth paying’. This could be mapped in a very loose way, for example, to the withdrawal of remote working or the rejection of a BYOD policy because of the security ramifications.

Let’s take a look at the most common security ‘good intentions’

Common good intentions Security translation Potential Impact
“We have always done it this way, it works!” Best not rock the boat, we know what we are doing so let’s not change anything.  If you don’t live in a potential state of change then you are not prepared for the changing nature of threats and emerging risks. Your network will be left wide open for attack.
“I was trying to improve the situation”  The wrong people doing the wrong things.  Implementing the wrong or inadequate solutions can do more damage than good. Your network can become more vulnerable than when you started.
“I can do this better than anyone else” Our network has never been or never will be breached.  You probably have already been compromised and because you think you are untouchable you can be slower to react. You should always think that there is better out there, so you strive for greater things.
“I meant well, I was just trying to save costs.” The wrong people doing the wrong things. The wrong people making difficult decisions.  If you don’t invest in your staff, solutions and security you will have the wrong people working with the wrong tools trying to hold back the tide. In this scenario, you will become a “kite in a hurricane”.
“I can give it up any time I like.” Becoming too attached to your own services and solutions.  What you do today may not be right for tomorrow. Don’t rely on services that have worked in the past as they will soon be out of date and no longer relevant. This will leave your organisation wide open for a cyber-attack.
“Let’s wipe the slate clean and start afresh.” Everything you are doing doesn’t seem to be working, lets rip it out and start again.  Build in layers on what you have, sometimes having multiple vendors will benefit an end to end solution. Otherwise you will be constantly starting afresh.

 

Good intentions can pave the way to hell, so let’s explore the steps within hell in a bit more detail. There is no better way than to take a few lessons from an expert, and I’ve chosen Dante. In his work, the ‘Divine Comedy’, he talked about 9 circles that lead you down into hell, each with its own set of consequences.

With a cybersecurity flavour, the 9 circles could look something like this:

Nine Circles of Hell Behaviour Translation Solution
 1. Limbo

Do nothing - your security is probably good enough. Anyway, things are moving so fast it will be best to wait to see what happens.  There are so many solutions, vendors and products out there that it’s
too easy to become overwhelmed. Sometimes it’s easier to do nothing and try to sit it out. This cyber paralysis is exactly what the cybercriminals want.
Doing nothing is not an option. Small steps are better than no steps. Use audits and vulnerability assessments to take stock and look at the most vulnerable areas of your network first. If security is not your bag, outsource this element to the professionals.
 2. Lust

I want what they have. Their security solution looks better than ours. We should change to mirror their solution.  With so many different solutions available it’s easy to think that people have implemented better solutions yours. Most of the time it is just different. Lusting after different solutions can lead to constant change, unfamiliarity and ultimately excess cost to the business. As long as you are with a leading vendor and your products and software are up
to date you should be in a good place. Constant change is not always conducive to a stable network and can lead to other key initiatives being delayed. It is often best to build on what you have. No two businesses are the same, so what one organisation is using may look better but it might not be right for your organisation.
 3. Gluttony

If it’s free, I want it. Let’s get every free or low-cost solution that we can, that should keep us safe.  More is not always better. It’s easy to be fooled in to downloading free software and building your own
“frankenstack” solution. I am sure cybercriminals will have an easier time manipulating free software as opposed to more sophisticated solutions.
Multiple vendor solutions are a good option as it will protect you from a single platform or software’s vulnerabilities. But it is highly recommended that professional advice and solutions are built in a single security strategy rather than pieced together with freebies.
 4. Greed

Let’s get every possible new solution that’s on the market and get it working immediately.  As easy as it is to do nothing, it’s probably as easy to do too much. Senior leaders will want their organisations protected and IT teams may believe the best way to do this is to get as many solutions as possible. Too many different solutions can lead to confusion and gaps. A single security strategy with the right vendors and solutions is the way forward. Too many solutions managed by an inexperienced team can lead to holes in the strategy and incompatibilities between products. Once again if it’s not your bag let a professional organization take over the running of your security strategy.
 5. Anger

Why are things not working? It’s impossible to keep up as there are so many threats.  It is easy to get frustrated with your own security position as it’s such a changing environment and cyber criminals will always be looking at ways to adapt. Anger is a natural reaction as many of these threats are completely nefarious and should be avoidable, but they are a way of life in the modern cyber world. Cyber threats are unavoidable, and everyone is susceptible (most are not personal). As soon as this is accepted then anger can be set to one side and a robust, thorough security strategy can be put in place that includes the proactive and reactive sides to security threats. A little anger is not always a bad thing as it will keep you vigilant.
 6. Heresy

What if the security advice that has been given to us
is wrong? It feels too expensive! We should probably invest in other areas.
 There are lots of contrasting positions, marketing stories, case studies and ways of working that can often make you question your security strategy. All IT areas will be jostling for budget,
so it is important that budget for security is fluid so that it can adapt to meet the changing nature of the external and internal environment. Have faith in the security professionals. If you don’t have the skills in house, don’t fake it - bring in the experts.
 7. Violence

 I have had enough. Let’s scrap everything and start again. It’s the only way to keep ahead.  The changing nature of the security environment can quickly lead to existing solutions becoming viewed as out of date. It is often a natural instinct to scrap what you have and start again. This can be an expensive strategy. Avoid that natural reaction to start again. Assess and audit what you have, build
on what you have started rather than discarding what has served you up
until now.
 8. Fraud

I don’t really feel comfortable with all that’s happening, but I am sure I can blag this and keep things ticking over. The one area of technology you just can’t take risks with is security. Good In-house staff may be hard to find. If teams are struggling, it’s time to get help. You need the right people who have earned the right badges. If you don’t feel you have the capability in-house make sure you find the right security partner.
 9. Treachery

It will never happen to us; our people are diligent and will keep us safe.  The one area of weakness that is often neglected is often seen as an organisation’s strength - its people. People will want to use the best technology that is available and will often contravene security policies to do so. People can open up backdoors that can then be exploited by cybercriminals. Unwitting traitors cause organisations thousands of £s. Make sure your policies are as tight and as your security solutions. They need to be well communicated, with everybody in the organisation aware of the importance of cybersecurity in everything they do.

 

What does this tell us?

  • Feed your security staff, treat them well, help them grow and they will make your organisation strong.
  • Ask for help and make sure you find the right security partner. Only by using experts in the field will you be able to navigate through what is a very hostile environment.

CCS Insight estimates that Microsoft, Amazon and Google together spend more than $2 billion a year on security in their cloud products. It’s safe to say that investment in security must be somewhere towards the top of your agenda. However, I would be hesitant to say that investment in innovation research and trying new things should be reduced in an effort to subsidise your security survival fund.

It’s all about finding the right balance for your business.

But wait! It’s not all about fear and panic!

If you believe the great storytellers like Dante, then fire has a strong link to hell. Fire is one of the oldest words in the English language. Its creation was linked to survival. Rub two sticks together and you’ve got light, warmth, and a sense of security. The human race has always been pretty good at survival - no matter what challenges appear, we will find solutions that adapt in kind. Cybersecurity is no different, so if you want to avoid the pathway to security hell talk, ask us at Intercity Technology about the benefits of lifting your next-generation security perimeter to the cloud. or watch our latest on-demand webinar hosted by Che Smith and Intercity's Matt Johson.

Enjoyed this article? Learn more in our Summer 2018 edition of Intercity Tech: Plugging the skills-gap, Is it time to stop circling the drain? - Your quarterly dose of news, success stories & practical advice from experts across the technology sector

[subscribe-form]