Stu has been a long term thought leader in Cyber Security / Information Security and we took the opportunity to mine his knowledge on a number of current issues in this space.
How have the recent lock downs changed how we conduct business?
The lock downs have certainly changed the way businesses operate. A seismic shift has happened from performing duties in a work location, to becoming location-less; the location-less workplace. Organisations had to scramble to ensure employees could operate effectively, but securely from their homes. However, many were not prepared for the consequences of such a ‘people-out’ scenario.
Companies who offshore experienced a greater impact as they would not allow their off-shore agencies’ employees to work from home, effectively shutting-down support operations. This has led to some serious re-thinking about how the “customer experience” is delivered by organisations and how the “employee experience” extends to such issues as Health & Safety, and Security in home environments. Issues which were previously a ‘nice-to-have’, have now become essential aspects of how business is conducted, ie. the mobility of the entire workforce, constant connectivity and security anywhere.
What are the biggest security priorities for businesses in 2021?
The interesting thing about security priorities is that they do not change that much. Fundamentally, it is about Confidentiality, Integrity and Availability; keeping information secret, accurate and accessible.
Currently and through 2021, there will be a significant focus on supplier security and this is demonstrated by the pressure some regulators are placing on their regulated entities. APRA in the FSI space, for example, have forced their regulated entities to look very closely at their supply chains, even talking about cascading their regulations onto suppliers to the FSI entities - even though those entities themselves fall outside of APRA’s remit. (I argued against this position with the Chair of APRA on a panel session a short time ago.)
However, it is an important consideration and organisations should place a priority on the security and sustainability of companies they rely on to deliver services.
What are the major threats to businesses in 2021?
The whole ransomware threat will not be going away, in fact it has not gone away since 1989 when the first attack occurred. Security is very much about ‘same sweet, different wrapper’. Organised crime and opportunists are making too much money for this to ever go away. In fact, you can buy ransomware software and spread it yourself, so the need for a technical capability has been removed. Anyone can be a ‘hacker’. Education and awareness amongst employees will be a key factor in addressing this.
As I mentioned above, organisations face a threat to their survivability due to their reliance on providers and those providers being an attack target. The [logistics company] Toll incident is an excellent example. They lost their systems to a cyber-attack and thousands of companies could not deliver goods to their customers.
What changes do you expect to see in the next five years?
As I mentioned, the attacks are not going away and will probably become more frequent as there are plenty of targets and lots of money to be made for the criminals. Therefore, we could see stronger legislation around punishing those responsible and an increase in sector-specific security requirements, perhaps previously unregulated areas proposing requirements around a cyber baseline.
I think we will also see a continued acceleration towards Cloud adoption within the security space in order to enable remote working to become the norm, as this makes delivering a more secure “location-less” environment easier.
There is also a lot of maturity that still needs to occur in the way Australian businesses approach cyber security. However, there are some great technologies within our amazing country and the innovation capabilities are quite impressive. Strangely however, there is a reluctance of businesses within Australia to adopt what is home-grown and right on their doorstep. My hope is that within the next five years, we will see a step-up in maturity (and I do include the big banks in that statement), a realisation that we can change the old mantra of ‘nobody gets fired for buying IBM’ and a more cooperative approach between organisations in relation to cyber security.
What are your top priorities coming into Law In Order in the first 12 months?
As I wear two hats, it will be identifying a balance between the two roles. This ratio will always be in flux, but the two are symbiotic; supporting the business in revenue growth, whilst also protecting that revenue from the costs associated with security issues.
Importantly, understanding the heartbeat of the business is key for me and embracing the more fun aspect of getting to know everyone in the organisation. One thing that has struck me is the can-do culture and the way everyone is very ready to support each other. So, that is a priority for me; fitting into that culture and doing my bit.
Speaking from a security perspective, it is getting the balance between security and business efficiencies. We cannot secure the company out of business. I have started working with Mick Campbell and his team, and it is full steam ahead with respect to security projects. Also, engaging with customers on the incident to continue winning their trust.
Could you walk us through a recent, real-life scenario and how the business was affected?
I have been involved in many incidents - responding not creating. Okay, maybe a bit of both (is this the time to apologise to my university for breaching their systems in my first week?) I also have a few comedic ones, such as a lovers’ tiff which resulted in an entire company almost going out of business. There is one significant incident which I think will resonate with Law In Order and that’s the Oracle v SAP case (it’s in the public domain, so I’m happy to name names). This cyber scenario resulted in a legal case that went on for seven years and initially cost SAP US$1.3B, which was later reduced to US$380M, significantly affecting profitability and reputation.
To quickly summarise the case: SAP employees asked Oracle customers for their user identities and passwords so they could access the Oracle Support infrastructure and download as much content as possible. Why? SAP offers (paid for) support on Oracle products and some customers were migrating from Oracle to SAP for various reasons. So, before their support period expired with Oracle, they provided their identities and passwords to SAP, and SAP downloaded a lot of intellectual property. These out-of-band downloads triggered the alarm bells in Oracle and my team went into action to respond and investigate. We quickly identified the source as SAP and reported this to the CEO. I can remember Larry Ellison’s exact words, which I will not repeat here. The Oracle legal team triggered action against them, whilst we liaised with the FBI on criminal charges and rolling out a global eDiscovery operation. SAP admitted their guilt due to how sound Oracle’s evidence was. I have in my possession the actual SAP internal chat message of an employee saying “they got us”.
Why is this interesting? It highlights the significance of how valuable information is. It took multiple experts many years in court arguing over this ‘value’. We can appreciate the value of things we can touch (laptops, tablets and phones), but try and place a dollar value on those photos you love, the value of our own intellectual property and that of our customers.
What is a common security mistake you see many businesses making?
In a nutshell, it is companies who assume that by having a security team, they are secure and it is that security team’s responsibility to keep the company secure. In reality, and this is a good litmus test of a company’s security maturity, it is the information owner who must take responsibility for securing the information and engaging the security/technology teams in a cooperative manner, whilst ensuring their own actions and the actions of others protect that information.
A company is only as secure as the carbon unit that exists between the chair and the keyboard – you! Embracing a security culture sponsored from the top-down and making everyone aware and responsible is something I wish I saw across more organisations.
How should people increase their knowledge about data protection and IT security?
This is a great question and this answer might seem a little left field. Fundamentally it is to understand the risk equation by playing through scenarios. If I have an ‘asset’ (as an example, an email is an information asset), what is it ‘worth’, what can happen to it (the threat), how likely is that to happen, what would it mean if it did happen (the impact) and therefore, how can I reduce/remove those factors?
We do this every day. Crossing a road is a great example. You are the asset, you could get injured, it is likely to happen with fast-moving cars, less likely on a quiet road and we reduce the risk by using a proper crossing.
Applying this to your work laptop - it could get stolen/lost, it is likely as it is carried between work and home every day, it would significantly impact Law In Order as it stores data on employees’ and customers’ information. I can reduce the risk by never leaving it in the car unattended, ensuring that all data is encrypted and always screen-locking.
We look forward to hearing more of Stu’s insight and stories from his experience in senior leadership roles within multinationals including the telecommunications, technology and risk & security sectors.