· The long-term impact: a look at what’s changed for the long haul. What are the positives and negatives of the pandemic for cyber security? Will we ‘snap back’ into old models?
o Kris Lovejoy, EY Global Cybersecurity Leader and former CISO of IBM:
“According to our research 84% of the world introduced some work from home capability, 60% introduced technology to enable that, and 60% of those either completely skipped or abbreviated the security checks as part of that implementation”
“We see CISOs being left out of the decision-making process around transformation and budgets are being cut. So why be optimistic? Because usually organisations just buy more stuff to deal with crises or compliance. They never take anything out. My hope is that this pressure will mean we streamline and reduce complexity. The combination of top down focus, and budget restrictions will fundamentally change our approach to cyber.”
o Ian Pratt, Global Head of Security (Personal Systems), HP Inc: “We’re seeing an acceleration of trends that were happening any way. Even very simple IT work practice has changed. Organisations have had to work out how to get laptops to employees with all the correct compliance, credentials, and certificates without it stopping off at an IT practitioners’ desk. We’re now enabling organisations to order machines not only imaged, but also provisioned with security credentials straight from the factory, so employees can use them securely straight out of the box. We’re at a point where end-points really have to be able to look after themselves at every stage.”
o Charles Blauner, Partner & CISO in Residence at Team8, former Global Head of Information Security, Citigroup: “COVID-19, if nothing else, has started to get people thinking about operational resilience. The good CISOs understand how to use the idea that security is a foundational aspect of operational resilience. Those who do are getting more budget and expanding the definition of what it means to be a CISO. This is an opportunity for good CISOs to change their relationship with their CEO and their business.”
o Boris Balacheff – HP Fellow and Chief Technologist, Security Research and Innovation, HP Inc: “From remote work, to IoT infrastructures, to all forms of automation – massively distributed infrastructure is becoming the norm. In a distributed world, endpoint devices are truly on the front line of the cyber security battle ground. No one is going to turn up at your door to help you if something goes wrong. Look back at early destructive attacks like Shamoon - going after 35,000 workstations. It’s simply not possible to have the sort of IT intervention that took to get people back on their feet today. We need to give the technology that underpins our information systems the autonomy and self-healing capability to guarantee resilience, designed and anchored into the hardware itself.”
· Where does threat go? Are we already seeing something different? What’s been the biggest shift you’ve observed, in your respective roles, from the criminal element and where do you think adversaries will turn next?
o Kris Lovejoy, EY Global Cybersecurity Leader and former CISO of IBM: “We’ve got a major trust deficit between consumers and the institutions that serve them. People don’t trust governments or corporations. They don’t trust them with their personal data and that drives regulation. And that lack of trust isn’t just expressed in angry consumer tweets – it’s expressed in the boycott of brands, disinformation campaigns and in cyber attacks. We’re seeing a strong increase in the number of disruptive and destructive attacks that are perpetrated by social activists. As a CISO, that frightens me. We have to recognise that the nature and frequency of these disruptive and destructive attacks are going to increase.”
o Boris Balacheff – HP Fellow and Chief Technologist, Security Research and Innovation, HP Inc: “With most employees operating remotely, disruptive or destructive attacks become even more damaging. As exploit sophistication increases, firmware attacks could become an extremely dangerous and attractive target. Attacks aiming to ‘brick’ devices could isolate workers and halt operations entirely on a large scale. Devices that can offer autonomous recovery, a self-healing capacity, built into the hardware, beneath the software and operating system, becomes mission critical.”
· Has the threat model changed? The trickle-down effect of cyber warfare. Undetectable malware.
o Ian Pratt, Global Head of Security (Personal Systems), HP Inc: “Things that would have been regarded as requiring nation state sophistication are now being perpetrated by criminal organisations. There exists a criminal supply chain of different organisations contributing specialist skills – finding vulnerabilities, building exploits or payloads, crafting the lure, distribution, etc. In addition, the whole yield management has become much more sophisticated – criminals making sure they extract as much money as possible from a victim, increasingly playing the long game. We’re seeing more maturity, more sophistication, but the actual model itself hasn’t changed. Endpoints are targeted. It’s still users being duped to invite the attacker in.”
“Most security is detection based. And the thing that bad guys have done very well is evading detection, using machine generation and automation to mutate malware to evade detection. Testing against common security products is just part of the QA process prior to an attack – it’s typically outsourced as one of the specialised functions in the criminal supply chain. That’s why we use isolation technology, virtual machines that can seamlessly spin up and contain these risks. This provides protection without relying on detection, resilience against the undetectable.”
· Do you pay the ransom? Recent news suggests some major companies have paid out in ransomware cases – what are the issues in play here?
o Charles Blauner, Partner & CISO in Residence at Team8, former Global Head of Information Security, Citigroup: “It’s a very tough ethical question. You have a responsibility to shareholders, employees’ livelihoods, and customers safety, as well as a responsibility to think through where that money might end up - from potentially funding a group involved in modern day slavery, to an active terrorist cell. There is no easy answer. But what I struggle with is that too many companies have left themselves in the position where that’s a question they might have to face. There should not be the circumstance where a ransomware attack could bring a major corporate entity to its knees. That means an absolute failure in security design.”
· Does cyber-insurance change the equation?
o Kris Lovejoy, EY Global Cybersecurity Leader and former CISO of IBM: “Historically ransomware hasn’t been considered a disclosable event. That’s beginning to change but as ransomware providers do more data exfiltration, what we’re seeing is both more attacks, and more disclosure. In the background cyber insurers are looking at things like Baltimore. In May 2019 Baltimore got hit and the ransom was 79k USD. They said no and ended up spending 18 million to rebuild their network. Today, insurance providers are largely recommending paying the ransom. Many of the questions I get become ‘how the heck do I buy bitcoin’, ‘who will do the negotiation’.”
HP Survey Security Insights
Sample:1070 IT Managers and IT decision makers surveyed. Data fielded in May 2020.
· 51% End-users feel they’re not set up adequately for remote work
· 80% IT Managers believe IT is in a more visible role
· 81% Believe IT is more tied than ever to the success of the business
· IT spend is more optimistic than earlier in the crisis, 44% of IT Managers are increasing spend for this year. 26% are decreasing spend for this year
· 40% IT Managers plan to augment security because of current situation
· 49% have increased spend on network security
· 44% have increased spend on cloud and server security
· 33% have increased spend on endpoint security
· 46% are outsourcing more in their network and/or endpoint security