Keith Yes, like attacking a lawyer, because they have a back door into BHP or some other client. That’s exactly how they operate.
Sean Yes, exactly attacking a monitoring firm who is running a campaign for a new business in competition with someone else may make them a target.
Sanjay The other thing that’s changing is a lot of folks aren’t aware of how simple the mistakes can be, right? Conducting research with Deakin University we discovered one in eight IP addresses in Australia now get malware on their website every single day. So these are innocent users going out browsing websites they think are okay and roughly 13 percent of them are going to places where they’re getting malware. If you then link that to what we all know, the security professionals and to phishing attacks, and how they’re using LinkedIn profiles to figure out information and everything else, you’re in big trouble right, and when people hear ‘cyber security, and situational awareness’ and all these other things, it sounds big and complex, but the fact is that the mistakes are the most basic things.
Keith Indeed. It’s the same mistakes about access control, about not updating and having malware, and having networks with the hard crunchy shell and all these sorts of things.
CRN Like only deciding to lock the doors once you’ve been robbed.
Sanjay This wrestling with BYOD, as if the act of taking the device outside the corporate walls is new. People have been doing that with their laptops for decades.
The form factor is different and you can hold it to your head, so it’s got to be different. But when someone leaves the organisation, the first thing we do is ‘Bob you’re been a great employee, why don’t you take two hours, clean up your laptop and any personal photos etc’ and give it back to me. It’s ridiculous. That’s BYOD every single day of the week.
Sean Effectively you have that chance for removal of data and external things. With cloud services, especially, that’s far more common.
Aviv We surveyed 3,000 customers, and collected data from all sorts of places around the world including Australia. We found over 60 percent had been targeted, have a ‘botnet’ an active botnet in their network (over 60 percent worldwide). And Australia is no different. Companies reported BYOD brings more risks into the environment.
Going back to regulation and legislation, it’s there to set a minimum bar and maybe raise awareness. But from what I’ve seen, the greatest inhibitor was that it was too complex, or it is too complex to comply with regulations, be it PCI, SOX, DSD35.
Some of them are just recommendations by the way. They’re not mandated, and it’s too complex for organisations to comply – even large organisations who can actually afford it, it’s costly. And some of them actually take the stance, ‘I’m willing to take the risk, and I’m willing to pay the fines – it’s cheaper to pay the fines than it is to comply with regulations”? It is a practical business decision that happens every day.
And as Sean stated regarding SMBs there’s a lack of knowledge; lack of expertise. We all know security is often perceived to be a very complex topic. It’s up to us as vendors to step in and resolve that and make the compliance effort easier. This way even a small business can comply and make sure that they at least adhere to the bare minimum.
CRN Are you suggesting that the privacy legislation is poorly designed, another piece of badly designed Labor policy?
Aviv My view is that the legislation has obviously been impacted by a lot by politics and other factors that might be outside the body of the legislation itself, but I think that asking the government, or relying just on the government to solve these things with very sophisticated legislation is probably not the right way to address it. It’s a combination of legislation that raises awareness. In my view, the main benefit of the privacy legislation is to raise awareness. Obviously the more penalties there are, the more people are aware that as Greg mentioned, it comes to the boardroom level. If a CEO can go to jail, yes, it becomes a CEO problem – and in some countries the CEO can go to jail. That aside, I’m not saying if that’s the right way or the wrong way. Awareness is the key here, making businesses aware and making it easier for them to actually do something about it.
Sean Does anyone here at this table think that actually complying with legislation equals security?
Sean In the US Sarbanes Oxley compliance was seen as a lot of work to comply with and so the act of complying became more important than the actual goals you are trying to achieve to be secure. I’m not sure. The legislation as you say, helps raise awareness and makes it something that’s safe to talk about at board level.
I advise my clients that being compliant is not being secure, but if you’re properly secure, you are already well along your compliance ride, and therefore we turn it around. A few years ago it was all about compliance, which we now realise is an operational risk. You can decide the extent to which you want to be compliant and what is the risk of fines that you might have to pay. But if you turn that on its head and say we should be thinking more about being secure, and then you’re going to be able to tick the most important boxes. The second point is that one of the real benefits of the legislation in addition to awareness, is that we really don’t know how bad it is yet. As soon as we can get people reporting, we might get to understand how big of a problem this is for Australia. Right now we don’t really know.
Maybe three years from now we can probably get an idea of the magnitude of the problem, then that will be an awareness opportunity there, no matter how big or small it is.