Written by Phil Armstrong, President & CEO, Macanthium Ventures
In the beginning…
When computers were first introduced as strategic business tools, we operated a rather medieval architecture to protect our corporate assets and customer data. We built a perimeter around our data centre “castle” and funneled all inbound and outbound digital interactions across an electronic “moat”. In the castle lay the corporate network, business applications, and sensitive information. Meanwhile, the digital moat represented the DMZ – the “De-Militarized Zone”. It contained technology designed to inspect traffic, and authenticate users to determine access privileges. The routers, firewalls and appliances housed within the DMZ performed specific functions often containing complicated, hardcoded rules and logic. The DMZ was brittle, expensive to operate, and hard to maintain – where routine maintenance changes or misconfigurations often resulted in business outages… or castle breaches.
Flash forward to today
This model was completely redefined with the introduction of the Internet, and more recently complemented with advancements in surrounding technologies such as Wi-fi, mobile and utility computing, cloud, 5G, and AI and machine learning. The pace of change has been accelerated by the pandemic, which advanced the need for digital transformation and remote, virtual work practically overnight.
And of course it’s not just computers on the Internet anymore: the “Internet of Things” (IOT) and other operational technologies include smart endpoints like thermostats, lightbulbs, watches, refrigerators, healthcare devices, factory and production line sensors, cars… and even cows! A recent estimate predicts there will be 31 billion connected IOT devices by the end of 2021 – that’s almost four devices for every person on the planet, streaming real-time information into huge data repositories – and there’s no end in sight.
The castle and moat approach is outdated, impractical, and inflexible in today’s distributed world. There is no more perimeter: the Internet has connected everything.
The death of the corporate network and the birth of cyber crime
The corporate network has been forced to relocate to the Internet, often referred to as the intelligent edge or edge computing. Multiple cloud providers now replace legacy datacentres, scattering corporate assets, customer data, and access points across different suppliers and geographies. The death of the corporate network and the abundant access granted to the Internet means organizations must be extra careful with validating identity before allowing anyone – or anything – to access corporate digital resources. Resulting from this shift, we see the rise in demand for sophisticated identity access management solutions which are often re-enforced with multi-factor authentication to negate the effects of stolen credentials.
This increasingly connected world – where customers, employees, and suppliers are all accessing digital resources, often through their own devices – has provided infinitely more opportunities for cyber criminals to exploit vulnerabilities.
Most successful breaches start with a simple email, leading to stolen credentials, unauthorized access upgrades, lateral movement across the network, and the deployment of ransomware enablers. In the first half of 2021 alone, Check Point reports that ransomware attacks nearly doubled over the previous year, and global cyber attacks ballooned by 29%. The criminals are also getting proficient at hiding malware in encrypted traffic: Zscaler’s threat labs have measured a 314% rise of this practice over the last year.
There is a mismatch here that places the financial burden onto the organizations under attack, where the more sophisticated the malware (which is getting cheaper to buy), the more sophisticated the defense system required (which is getting more expensive to buy) to defend against it.
The result? There is a growing risk of your system being hacked – and if you are breached, it will cost more than ever to recover. IBM’s “Cost of a Data Breach Report 2021” describes a 10% increase in the global average cost of a cyber breach, rising from $3.8M in 2020 to $4.24M per incident in 2021 (all figures USD). Other interesting findings in the IBM report show that breach costs in the public sector in 2021 saw a shocking 78% increase, with the healthcare and financial services sectors being targeted the most. And the global average number of days to identify and contain a data breach was 287 days (roughly nine and a half months) – a long time for threat actors to have access to your data.
We are living in a new world where the cyber criminals are highly organized and openly collaborating with one another. They are leveraging technology to lower the cost of entry, and now provide sophisticated hacking tools to a growing consumer base using a “ransomware-as-a-service” model. These tools provide high levels of anonymity with compelling profits.
The great cyber reset
We have reached a breaking point, where companies, institutions, citizens, governments, and countries must respond. How can we operate in this environment of elevated risk in a cost-effective and sustainable way? Is adequate cybersecurity protection becoming cost-prohibitive? To respond to this onslaught, the next generation of cyber protection tools and architectures is fast emerging. We will need solutions powered by AI, which are fast, responsive, flexible, economically viable, and cloud-based. Canada must embrace an ecosystem of technologies that incorporates advanced identity access management and inline traffic inspection capabilities. Global technology and business leaders are recognizing this and are hitting the reset button on their current cybersecurity plans. Emerging as the solution of choice is a “Zero Trust” architecture operating within a “Secure Access Service Edge” (SASE) eco-system.
This solution hides the corporate network from being visible on the Internet – you can’t attack what you can’t see! – and prevents users and devices from attaching directly to digital assets or resources. It eliminates lateral movement, thereby dramatically reducing the risk of mass infection and successful ransomware deployment. A Zero Trust model validates all access every time, limiting the exposure for a compromised set of credentials such as stolen userids and passwords, or compromised IOT devices. Some Zero Trust solutions even offer browser isolation technologies that protect personal devices that don’t have their own sophisticated endpoint protection.
Poorly-engineered IOT devices can inadvertently provide an unsecured backdoor to your network, circumventing your current defences. The industry is littered with examples of compromised connected devices like smart locks, thermostats, security cameras or vending machines connected to your network with poor security design and protection. Enforcing a Zero Trust model can eliminate the risk of IOT malware outbreaks such as Gafgyt or Mirai, malware used to create botnets.
American President Joe Biden recently mandated that the U.S. Federal Government and associated agencies must adopt a Zero Trust Architecture. Companies like Zscaler are leading the way in developing and deploying Zero Trust solutions, supporting the tremendous interest in using Zero Trust as the foundation for future digital transformations, eventually supporting the transition to a “passwordless” environment. (I see this as the next big emerging trend for our industry.)
We need to adapt and move quickly to protect our citizens, companies, utilities, institutions and government agencies… but do we have the capabilities to make this transition? Can we make the shift towards a Zero Trust Architecture and a SASE ecosystem quickly enough?
We need more talent to pivot quickly
One of the most prominent factors that will hinder our adoption of the new architectures is the global cyber skills gap. A recent (ISC)2 report indicates that there are an estimated 3.1 million unfilled cybersecurity jobs worldwide, with a recent ISSG survey suggesting that 76% of organizations surveyed are finding it difficult to recruit and hire cybersecurity staff. Developing skilled resources, building better skills pipelines, and uncovering novel talent supply channels is challenging, but essential. We must avoid teaching outdated skills, frameworks, and models: as we face the great cyber reset, Zero Trust, SASE, Cloud Security, and Identity Management will be the premium skills of the immediate future.
The surge in demand for relevant cyber skills, coupled with the effects of the COVID-19 pandemic, has also destabilized the market. A recent McKinsey report refers to this as the “Great Attrition”, suggesting that 40% of all employees are considering a change of employer by Q1 2022. We are already seeing an increased churn within the highly competitive Canadian cyber market. Canadian employers are really focused on how to engage, educate, compensate, and retain these valuable cyber employees.
Decision time
We have reached a critical inflection point within our industry. Technology and business leaders have a career-defining decision to make. Do they continue with the current approach of trying to integrate disparate cyber solutions previously purchased to mitigate specific risks in an outdated model, or do they hit the reset button on their current plans and embrace newer emerging cybersecurity architectures to futureproof their organizations? New architectures will provide a safe, scalable, and flexible foundation from which to execute the organization’s digital aspirations, but will management divert scarce resources to this transformation?
These critical decisions will likely determine the future success of many companies. For slow-moving and unresponsive businesses, a failure to plan is a plan to fail. Inadequate cyber programs can lead to inefficiencies, greater risk of data breach and reputational damage, and ultimately to fines, class action lawsuits, and board member liability. In contrast, proactive companies are embarking on their great cyber reset, with technology and business leaders showing an unquenchable thirst to learn more about Zero Trust architectures and SASE ecosystems.
ISA Cybersecurity, Canada’s leading cybersecurity-focused company, is seeing increased interest from organizations wishing to conduct independent cyber assessments to establish a baseline that helps management and boards enable their cybersecurity reset planning. They understand that business needs people armed with progressive cloud-based security skills, to activate the following nine critical steps:
1. Hide the corporate network from the Internet.
2. Prevent any user, device, or IOT device from directly connecting to the corporate network.
3. Eliminate lateral movement to stop mass infections and ransomware success.
4. Inspect all traffic – including encrypted data – for malware using sophisticated, inline AI tools.
5. Implement identity management and multi-factor authentication.
6. Implement a Zero Trust architecture with a multi-layered proxy enforcement design.
7. Implement a Zero Trust within a SASE ecosystem that leverages your prior investments.
8. Continuously educate the leadership team, employees, and the board on cybersecurity.
9. Frequently test and benchmark your cyber capabilities and response plans.
The pandemic has accelerated digital transformation, raising the bar for almost every company. We have all been elevated to join the digital club. We are now all digital disrupters, but to sustain a resilient, agile, safe, distributed and scalable business model, organizations are quickly hitting that reset button and moving towards a Zero Trust architecture to provide a platform for secure digital adaptability. Today, we need to fight sophisticated criminals with equally sophisticated tools and architectures.
Businesses needing help with this transformation can look to ISA Cybersecurity. Their new Cyber Management Consulting (CMC) practice provides vendor- and standards-agnostic security, privacy, and data management solutions. Featuring a team of experts that brings decades of experience from working in some of the most complex environments in the private and public sectors, the CMC can help you understand, prioritize and address your risks, letting you confidently move forward in with your “Cyber Reset”. Remember: “Hope is not a strategy”.
Contact ISA Cybersecurity to learn more about how their Cyber Management Consulting practice can help your business.
Written by Phil Armstrong
President & CEO
Macanthium Ventures Inc.