Cybersecurity is broken
At least, that is what one expert has to say in a provocative piece in SC magazine.
Here are some excerpts, but I recommend you read the short article.
The author, the CEO of a software vendor of cybersecurity products, starts with these points:
…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….
A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.
He then spells out a truth that we should all acknowledge:
Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.
The article then takes a new direction (at least for me):
CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..
If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.
I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:
That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.
He continues to press his point:
Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……
Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..
In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.
So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.
I think that is something that every organization should consider – especially encryption.
But is it enough?
For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.
I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.
We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.
So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.
Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!
I welcome your views.