With regulatory environments getting tighter around the globe and cybersecurity becoming a keyagenda in boardrooms, Skybox Security’s Product Marketing Director Kevin Flynn talks about the changing enterprise security landscape.
What are the cyber security trends do you foresee gaining momentum globally?
To start with, the regulatory environment is not just becoming stricter; itnow has teeth to it. The European Union GDPR is a proper example of that. Likewise, there are a new set of regulations on privacy and data security in New York, where much of the Wall Street. The main difference is that they are now having very comprehensive approaches with penalties. As with the EU GDPR penalties, 4% of the global revenue is enough to get the attention of board. Another thing, the directors of organizations will now have personal liability.
“As with the EU GDPR penalties, 4% of the global revenue is enough to get the attention of the board.”
Kevin Flynn
Director
Product Marketing
Skybox Security
Another trend is the notion that all connected devices have an IP address. Not just routers and PCs and smartphones, it’s all the devices, electric utilities and things in factories that manage them. These things have always been isolated but not anymore. Now they have an IP address and can be attacked. The DDoS attack that happened recentlywhere it was video cameras that were part of the botnet broughtmajor enterprises like Netflix and New York Times down.
The DDoS attacked the DNS server, which was an interesting way to approach the problem. They were not attacking NY Times or Netflix, they were attacking the DNS third party using non IP devices i.e. video cameras where there was no password protection. The password was in the firmware. In firmware, the administrator cannot change the password. Moreover, no one updates the firmware. Organizations need to think of the same problem with all their IoT devices. They are vulnerable. The DDoS attack using non IP devices highlighted the danger organizations face.
What are some of the challenges that enterprise are facing today with regards to cyber security?
The bigger problem that enterprises have been dealing with is how to educate the users. They need to increase user awareness. If we take a look at phishing attacks or spear phishing attacks, major form vector for an attack, a lot of times if the user is aware, he or she might not click on something fishy. But user awareness can only go so far.
Education is very important but the enforcement and policies have to vary depending on the culture of the organization. So, what a user in a bank or a user in a defense agency will tolerate as far as control of information flow will be very different than a user in a university. It is important to educate the users because a lot of cyber breaches occur by outsmarting the users. From the IT perspective, education is good but it has to take into account the culture.
Also,there has been a lag in what the security vendors are able to do versus the customer’s ability to incorporate the technology. In essence, it is like a three legged arms race between the bad guys, the security vendors and the customers. The vendors and the bad guys are into security 24×7 and develop technologies whereas the customers have another business to do. So there is always going to be a lag time. The bad guys are always adjusting their game, the vendors are always crafting new technologies and then the customers have to absorb them and that takes time.
How significant is collaboration to ensuring enterprise security and data protection?
Security has to respond to business pressure. The secret to good security is to get out of the way as much as possible and letthe business operate smoothly. Collaboration needs to occur between two businesses, or two users and enterprises need to foster that. Security has to adjust to that. Youcannot say to the CIO or CEO that you cannot trade with a specific partner. The trick on the collaboration side is to form good policies so that information flows appropriate and then enforce those policies and changes to those policies as necessary. It has to adapt to need for collaboration between two different entities, and then be able to helpset the policy, and be able to enforce those policies. The problem comes in detail – What’s a good policy and how am I enforcing it?
How different is the enterprise security landscape in India when compared to the west?
The problems of large enterprises are very similar in India as anywhere in Europe or US. There is an endemic around the world with a dearth of security people and expertise. The problem of recruiting security talent is hard and I am sure it is even more difficult in India. To alleviate that is the simplification of the management tools. If you can simplify the management tools, you’ll need less people.
How has cloud influenced the approach to cyber protection?
Almost everything we use in offices today is cloud. Salesforce is a cloud. If I am using my personal email, that is a cloud. Office 365 is a cloud. Things are no longer sitting in servers in the basement. So there is a major part of the information that is on cloud. It complicates things, because now you need much more control over the flow of information back and forth. What is the information that is going back and forth? How am I encrypting it? How am I protecting it? How am I isolating it so that it stays in the European Union?Do I have policy control on the third platform like AWS? What is happening in my private cloud in my data center? These are some of the questions organizations need to ask themselves.
Banking and financial Institutions have been major targets for hackers in recent times. Where are they lacking in their security?
In my experience, the larger banks have the budget, resources and the personnel to do a pretty good job. But when you get below that, security is not as robust. Although that is natural in light of company size but the problem in the banking industry is that the information that even a small midsized bank holds is extremelyvaluable. Unlike manufacturing or any other industry, the security that a large, midsized or a small bank needs is virtually the same. The Bangladesh incident is a good example of this. The swift network that all the banks use to transact and share information connects every bank globally. So as they are part of the same system, the same kind of security needs to exist in them. For mid-sized banks, you need to have the budget and the personnel as the problem is the same.
Anything you would like to add?
Security has gone on a worldwide basis from a technical issue to a business issue. It has attracted the attention of the board and senior management because they need to be aware of it and also because of the regulatory environment. EUGDPR will be extremely important for companies that have employees who are European citizens or if they do business in EU. The penalties for that are severe, all of a sudden, putting security issue out and into the board room. Companies are adapting to that and there has been a significant shift in the last few years due to the awareness and the change in the regulatory environment.
