Head of Strategy & Planning at eir Business
When eir performed in-depth customer research in 2015, it became clear that information security was one of the top investment priorities for enterprise and government customers.
I remember while playing hide and seek with the kids when they were young, I used to make this bad joke where I’d tell them to cover their eyes when hiding because “if you can’t see them, then they can’t see you.” Even the youngest of kids knows instinctively that this idea makes no sense.
When it comes to cyber-security, it seems that we have been collectively sitting in the corner in full view, with our hands over our eyes. Meanwhile the bad guys have been honing their technology and having the run of the house with terrible and high-profile consequences.
Fortunately, attitudes appear to be changing.
When eir performed in-depth customer research in 2015, it became clear that information security was one of the top investment priorities for our enterprise and government customers.
When asked about areas where they were most likely to invest, across all sizes of Irish companies and government organisations, there was no segment where respondents didn’t list information security as one of their top three priorities.
Yet at the same time, it became clear that while Irish boardrooms were turning their attention and risk management activities towards the security of their IT systems and networks, there was a lack of understanding about how to proceed. The research found that 66% did not feel adequately protected from an IT and network security perspective.
Stealthy malware can still leave network footprints.
We thought hard about whether we could help in a meaningful way. Do organisations with networking and communications as their heritage, such as eir, have a role to play in the security space? The answer is yes, and it’s because of the growing sophistication of malware.
Perimeter security is still the bread and butter of most security solutions. It used to be the case that if you locked down the hatches at the perimeter to the network, you felt you could sleep comfortably at night. It is now generally accepted however, that traditional perimeter security, whilst still absolutely necessary, is no longer sufficient to minimise security risk.
The new mantra is not if you will be breached, but when.
As malware becomes better at hiding its footprints within the IT realm, it must traverse the network, where inevitably evidence of such breaches will still be present.
A troubling trend in the development of malware is stealth. Not only can malicious software be launched into a victim’s network from a distance by a remote attacker, it can also erase log files and otherwise hide its footprints.
The network doesn’t lie, and signs that an attack is occurring or has occurred are often only detectable at the network level. In order to achieve its objectives, ultimately malware needs to use the network for a variety of purposes, such as remote command and control, exfiltration of data or just to snoop around. In this sense, there really is nowhere for it to hide, but it’s important to understand the truths about data networking and how best to keep your network safe.
As providers of that gateway, an organisation’s communications and networking partner is uniquely positioned to understand network threats and to monitor for the suspicious network traffic patterns that can indicate breaches.
The prevalence of high-profile hacks means organisations must now have a plan that assumes a breach will happen. That takes action to track, limit and stop interlopers if they do penetrate the perimeter.
Irish organisations that feel the need for improved defence but are unsure of how to proceed should begin by talking to their communications provider. Can the provider help shore up security of their perimeter while also monitoring the network for traffic patterns that could reveal an attack is in process? An essential starting point is to regularly test your external and internal network for vulnerabilities and weakness to penetration.
The service imperative: moving beyond technology.
The good news is that more Irish organisations are moving to improve their security posture. The bad news is that a service gap is now obvious.
The feeling that perhaps the organisation isn’t doing enough to protect its information is often justified, where they have invested in security protection but left it unmanaged.
In our experience, it’s not uncommon for enterprises to adopt solutions such as Intrusion Detection and Protection Systems, or Security Incident and Event Management, only to leave the system in place without oversight or maintenance. Once critical alerts are ignored or licences are allowed to lapse, the intrusion protection device is little more than a dust collector, giving an illusion of security that may even be more dangerous than the total vulnerability of an unprotected organisation.
These fears are compounded by a real human consideration: Surely I can’t be held accountable for something of which I was unaware. Unfortunately for those of that mindset, new legislation under the banner of the EU’s General Data Protection Regulation will hold firms much more accountable for data breaches, and positions of plausible deniability will no longer hold water.
It’s true that, to date, there may have been more questions than answers for Irish organisations seeking truly enterprise-grade information security protection, but at last boardrooms are no longer hiding from the problem. Many no longer have their eyes covered and are seeking answers, which can only be a good thing for employees, customers and the public.
Head of Strategy & Planning at eir Business