Attendees at FutureScope got an insight into how cybersecurity threats have evolved from a technical concern to a business risk. Last week’s business networking conference in Dublin promised perspectives on emerging technologies – including how security affects our increasingly connected world.
BH Consulting founder Brian Honan spoke as part of a panel discussion with Damon Rands, CEO of Wolfberry CS. MC Karlin Lillington, technology columnist with the Irish Times, started by asking: “Are we overly worried or underprepared? Hyped into panic or not taking this seriously enough?”
Brian Honan said: “I think we’re living in an era where we’re reaping the seeds sown over the last few decades.” That partly stems from governments not grasping issues like protecting critical infrastructure, or businesses rapidly releasing products without considering security.
Hype from security product makers has also played a part, Brian added. “It’s a perfect storm. Any time there’s a new vulnerability announced, it comes with its own website and its own PR campaign. We saw that with Shellshock and Heartbleed, yet in reality, none of our clients were attacked.” Referring to security vendors’ tendency to oversell their products’ capabilities, he said: “You have all these silver bullets, but not every security threat is a werewolf.”
It’s far more common to see organisations with poor security hygiene where they don’t update software patches regularly, or they don’t protect systems properly, Brian said. “For large organisations and most businesses, the risks you face are the standard threats. They include users clicking on links, poor passwords and unpatched systems. When we run security exercises against our clients, the first thing we target is not the IT infrastructure, it’s the people,” said Brian.
Damon Rands agreed. “90% of our work is reconfiguring what [systems] you’ve got already,” he said. At the same time, there are very real threats businesses need to protect against, he added.
Those threats vary by the type of businesses, said Brian. “If you’re a small business, the risk is of automated attacks like ransomware or computer viruses; kids and criminals looking for insecure systems. That’s at the base level. As you go up to large organisations with large amounts of data or intellectual property, you become a more targeted threat.”
Addressing the audience, Brian said most businesses shouldn’t think they face the same cybersecurity threats as nation states. “Not everybody in this room is a target for the NSA or GRU,” he said.
Damon Rands said Cyber Essentials is a framework of security controls that can help businesses to check for common risks. However, he pointed out that Cyber Essentials only focuses on technical security controls, not user behaviour and awareness. Growing numbers of businesses have adopted it recently and Rands said: “I believe that’s due to GDPR.”
Another evolution in cybersecurity predates GDPR, Brian added. When he founded BH Consulting in 2004, most of the people he spoke to were in technical roles. “Nowadays, we are being brought in by boards, audit committees and the C-suite who see security as a business risk,” he said.
This prompted Karlin Lillington to ask about how to pitch a technical security message to such a different audience. Brian said: “You have to treat it as another business risk. Very few businesses in the world would be efficient if they didn’t have their IT.”