Cyber security is now a national concern and something that affects businesses of all types and sizes. That was the key message discussed at Vodafone's first Future-Ready Workplace Series webinar when Edel Briody, head of corporate security at Vodafone Ireland and Greg Day, EMEA chief security officer at Palo Alto Networks got together to chat earlier this month.
During the hour-long virtual event, the trio talked through the challenges and trials facing companies attempting to keep their infrastructure secure at a time of increased pressure from cyber criminals, and in the aftermath of the HSE ransomware attack that paralysed the health system in Ireland.
Where cyber security used to be a back office concern, something only the IT function of the company really worried about, it’s now front and centre on the corporate agenda and it’s only likely to assume more importance as time goes on.
“So much of what we do now in cyber security is linked to overall strategic purpose. When I look across my organisation within Vodafone in terms of our strategic deliverables, security is fundamental to those and it also plays an active role in other parts of the overall company’s strategic business,” said Edel Briody.
“Ultimately our aim is to deepen the relationship we have with our customers and what matters to them matters to us, and security is at the very top of the list at the moment.”
Palo Alto Networks is one of the world’s largest and most significant cyber security leaders and in the opinion of Greg Day, recent events have significantly accelerated the rate at which security is growing in importance, along with the adoption of cloud technologies. Where previously most companies had a plan to migrate their functions gradually to the cloud over an average of a three year time period, Covid 19 forced that to speed up exponentially.
“The plan was compressed from multiple years down to just weeks. But that’s the reality for businesses, when something happens they have to figure out a way to continue moving forwards. When GDPR was announced, it took years for companies to get ready for it but then when Covid 19 came along and the lockdowns started, it took less than one week to reinvent how things worked,” said Day.
“People had to figure out new ways to collaborate, both inside their business and with their customers. Now security has to play the catch up game, and it will probably take years to get there fully,” said Day.
Cyber criminals are all too aware of the challenges companies are dealing with in the pandemic, and they’re ready to take advantage in whatever ways they can. Distributed workforces using laptops remotely, working from spare bedrooms and kitchen tables are ripe to be targeted for phishing and ransomware attacks.
“During the pandemic it became apparent that Vodafone offered critical national infrastructure and we needed to remain resilient, to step up and keep our customers safe and connected. And that meant we had to adapt internally very quickly, changing how we did things yet making sure that our staff remained connected and knew what the right thing to do was,” said Briody.
“Security culture was a key focus for my team and I last year. It’s important to stay humble in this regard and not to think this couldn’t happen to us.”
For many tech companies, the challenge of transitioning to remote working wasn’t that much of a problem. A significant number already had much of their infrastructure and applications in the cloud and accessed it remotely, so the groundwork for being able to switch over to working from home had already been laid.
However not all companies were in that position, and those that weren’t were on a steep learning curve.
“I have to be honest, the day after the pandemic hit felt pretty much like a normal day to me, as we were already set up to allow for working from home. But the majority of people out there in other companies had to discover entirely new ways of engaging with each other and with their customers,” said Day.
“They had to figure out how to collaborate in terms of sharing potentially sensitive data, depending on the industry they worked in. Before, maybe five per cent of their staff connected with a VPN and the rest sat in an office. That had to change overnight.”
The first step for underprepared companies, according to Day, was to completely rethink how their employees worked, pivoting from what best suited the company to what best suited the situation. If people were going to be working remotely, then top of the list of priorities was a secure connection back to the office.
Next they had to streamline their processes, making sure that each one was matched to the infrastructure that best suited it.
“This kind of thing is an opportunity to drive efficiencies. However, the danger of this way of organising things is that when we talk about the cloud, we can actually be talking about 10, 20 or even 30 applications delivered remotely under the software-as-a-service model,” said Day.
“Some of them have their own security and some of them have no security, and so the challenge is how do you maintain consistency? Where are these applications hosting your data and how does that fit into the laws of the place you’re located?”
Day also suggests that many organisations weren’t really fully aware of just how digitally-dependent they'd become in the last few years.
“There's a challenge for boards to be going back to their businesses literally every month and saying, how exposed are we to digital issues in areas that are key to our business's success? What part of that is now digital?” he said.
“In addition, what about our suppliers? How exposed are they to existential digital risk and how does that impact on us potentially? Is there a ‘house of cards’ risk whereby if one organisation falls victim to a cyber attack, it causes a chain reaction of connected companies to be impacted?”
To help combat this, it’s important to identify who in your organisation needs access to which systems, eliminating any situation in which people could potentially access data they don’t need. The reason? If your security is compromised, such controls can act as ‘fire breaks’ restricting the damage that can be done.
“Let's focus in on who needs access, and why do they need access? Let's focus in on the things that are key to the business success, and then reduce access just to those that need it. Even then, you can't necessarily guarantee the person using your system is who you think they are, so you still need to log and verify what they're doing,” said Day.
“This is really about saying as we open up the world and make it evermore interconnected, what is best practice to reduce risk?”
According to Edel Briody, there’s a real need for companies to increase the sophistication of their security function, or to partner with an entity like Vodafone that can help bolster their security preparedness.
“When the cyber criminals become more sophisticated then we need to get more sophisticated in how we test, how we simulate and how we bring to life all of the controls we use. Our people are a significant line of defence, so it’s important to keep up with the threat landscape and security culture,” she said.
“We need to ensure that we remain relevant as security leaders in terms of keeping up with the threat changes out there, and then know how to break that down for the different stake holders in the company, from board level right the way through to the most junior person, because we’re all links in a security chain and we’re only as strong as our weakest link.”