Stark consequences of a single failure illustrate importance of new era cyber protections

The significant impact a single failure can have in an environment of quickly advancing interconnectedness and interdependency on the Internet demands a new way of thinking about cyber security, argues Ray Boisvert, president and CEO of I-Sec Integrated Strategies.

Speaking at the ARC Group Canada Spring Seminar 2015 in Toronto Thursday, Boisvert, a former assistant director, intelligence with the Canadian Security Intelligence Service (CSIS), cited an industry estimate that the number of devices connected to the Internet would soon be north of the 60-billion mark.

“The Internet of Things is everything connected in our homes, our offices, everything that transforms our lives daily and increasingly becomes interconnected and, more important to you, interdependent,” he told attendees. “One failure can have really stark consequences for your personal lives and for your professional existence.”

The challenge is everyone is living in an environment where the threat surface keeps on growing. Why? Because of the Internet of Things, Boisvert said.

“We have more things that are connected to the networks and we have deeper supply chains. We have a big global network. We have more partners and alliances that work together, but they are part of your network without having to meet the same standard,” he pointed out. “No matter how much you may invest, others may not be equal to the task and that’s a very, very common gap.”

Boisvert suggested that “any kind of business in any kind of environment, whether you’re in a law firm or you’re selling insurance or manufacturing widgets, you are first and foremost an IT company.”

Cyber security must be looked at as being part of the business, he recommended. “It’s part and parcel of our DNA,” Boisvert said, emphasizing that today’s business use IT for everything.

As such, protective measures taken must be in line with the new and changing environment. Boisvert pointed to the most recent Sony hack, where, among other things, access was gained to corporate emails. “Think about all that privileged and confidential information that exists currently on your server,” he said.

With regard to Sony, “We’re talking about firewalls. We’re talking about old technology. We’re talking about the old age of Internet security, about perimeter security, stopping threat actors before they penetrate your organization. Well, that’s just not on anymore for 2015,” Boisvert emphasized.

“The days of the old perimeter security are dead. Now we’re looking at much more advanced analytics. It has to be contextualized properly using the right approach in terms of big data ingestion and so on, but mostly focus on behavioural, anomalies on the network,” he said.

People certainly matter, Boisvert emphasized. “And the only way to solve that part of the puzzle is to invest in awareness,” he said noting that positional awareness starts at the organizational level.

“Where are you as an organization, where is your client as an organization on the threat threshold in terms of where are you on that threat matrix. From there, you can make smarter investments if you’re positionally aware,” he suggested. “The same for employees. They have to understand that they are part of either the opportunity for enrichment or they will be the undoing of the organization, perhaps more often than not, unwittingly.”

It is important to have in place defences from hidden attacks, such as malicious code and activity, Boisvert (pictured below) recommended. “I do believe that about three-quarters of organizations that have been targeted for penetration have, indeed, been fully and effectively penetrated,” he said.

But there is also a need to adhere to basic data hygiene. “Most experts will tell you that if people, if institutions and organizations just did the basics – just patched, did all the updates, didn’t click that blue line from that phishing email that is so enticing without pausing for a nanosecond,” he said.

Other best practices for organization include focusing on technology that is cutting edge, knowing the true size of the organization network, encrypting key data, ensuring data is effectively segmented, owning the organization’s network (as well as ensuring all staff, regardless of title or function, are responsible when using that data), and understanding the threat environment (including by researching who is talking about the organization).

Challenges, however, remain. There is currently a lack of governance and leadership, Boisvert suggested.

“There is no international covenants, there are no international agreements of any substance that are going to lead to a better framework or infrastructure to help support all the things that are needed around raising our level of cyber assurance,” he told attendees.

“I’m a true believer that we are the realm of new-era risks,” Boisvert said. “We’re now in a new age, this new era where over five dozen countries have advanced cyber capability. And that means we’re looking at many, many organizations that have extremely, extremely deep skills sets,” he added.

“What I find extremely disturbing is the fact that cyber, and to a lesser degree insider threats, are devastating our future prosperity as a society and a country,” Boisvert told seminar attendees.

“We are part of this great internet economy. It has brought unprecedented levels of wealth and knowledge and everything we know and do today,” he said, adding the Internet accounts for about 3% to 4% of GDP (gross domestic product).

This “is something that is incredibly valuable and something that we must protect from the issues of intrusion, breaches and other things,” he emphasized.

More coverage of the ARC Group Canada Spring Seminar 2015: 

Canadian organizations should look beyond country’s borders to see where cyber security regulation could go

Slight uptick in buying cyber insurance, but still very
low at 8%