"Personally, I want to say I am sorry that this happened," wrote Charles Brown, president and CEO of Canadian healthcare testing and diagnostics company LifeLabs. Brown was writing an open letter following a breach of the company's IT systems and potential loss of records impacting 15 million customers. It's the latest in a sorry line of breaches and yet over the past 18 months enterprises have had access to more sophisticated security tools and apps than ever before, so what is wrong? Why does cybersecurity seem to be failing?
As we begin the new year, there is understandable concern as to what 2020 will bring in the shape of cybersecurity threats and breaches. What is almost inevitable is that there will continue to be significant problems, fuelled as much by human error as the hacking skills of cybercriminals. So, why are businesses and public sector bodies still being breached so regularly? Shouldn't the security industry be doing more?
According to Orion Hindawi, CEO and co-founder of Tanium, the security industry is in a state of flux. Last year he admits that he thought we were going to see mass consolidation through acquisitions but now he thinks that consolidation will come through bankruptcies. Much of this, he says, is down to the "millions of little companies that are saying that they cure cancer and launch the space shuttle and do all these amazing but somewhat nonsensical things."
The problem is that this creates confusion and to a certain extent a split in vision between CIOs and CISOs. Hindawi believes 2020 will (and should) see a shake-out. Customers, he says are demanding simplification.
"I think that the market is overheated to the point where now it's not going to be a soft landing," he says. "Now, we may end up in a situation where a lot of these companies just legitimately disappear. I think a lot of our customers are starting to get to the point where they've hit saturation on the number of different voices that are screaming in their ears. Customers are tuning out."
Strained relationships
So, what does this mean in terms of protection? Are organisations leaving gaps in defences? Hindawi insists organisations are not just leaving their defences open but they are not addressing some of the key issues that are leading to all of the breaches and problems we have seen over the past 12 months.
"Instead of, you know, focusing on the Russians coming in through the skylights, which is what a lot of the industry wants organisations to focus on, they should be getting back to basic hygiene, which is actually the problem that is causing a lot of the systemic issues," says Hindawi.
It's a bold claim. While human error is a widely accepted cause of many breaches - Applied Risk claimed last year that employee errors were behind 52 percent of industrial breaches, while Kaspersky Labs claimed that 90 percent of cloud-based attacks were also down to employee mistakes - understanding where all assets are in terms of geography but also in terms of security patching, seems like common sense. Yet, according to Hindawi, and recent research from Fidelis Cybersecurity, security automation and visibility of endpoints remains a huge concern for security professionals.
"The problem that is driving most of our customers when they're being breached, or when they're having operational failures, in almost every case, it ties back to that basic hygiene," adds Hindawi, adding that this is more than just an awareness issue. By this he means an internal conflict between CIOs and CISOs is undermining organisational resilience.
To try and prove the point, Tanium commissioned Forrester Consulting to explore the idea. Interestingly, the study of 400 large enterprise IT leaders found that increased investment in IT solutions has not translated in improved visibility of computing devices and has, according to the research "created false confidence among security and IT ops teams in the veracity of their endpoint management data."
The study also found strained relationships between CIOs and CISOs leading to poor collaboration on organisational security measures. In practical terms this has meant that some organisations have taken nearly two weeks to patch vulnerable IT systems.
The research found that over 40 percent of organisations, with these strained relationships suffer with basic IT hygiene. With 71 percent of businesses struggling to gain end-to-end visibility of endpoints, such as servers, laptops, desktops and containers, it's not surprising that, as the report suggests, there is mis-placed confidence among IT decision makers. While 80 percent are certain they can act on the results of vulnerability scans, fewer than half (49 percent) feel confident they have full visibility into all the hardware/software assets in their environment.
Reboot thinking
It seems like a perennial problem. We have been here many times before so why don't organisations do more? Apart from the obvious cost and disruption, data security legislation, such as GDPR, is getting tougher - even the State of California is now enacting stricter measures with its Consumer Privacy Act (which took affect from Jan 1 2020).
According to Hindawi, organisations need to rethink how they are addressing endpoint visibility and security. By this he doesn't mean rip everything up. The problem he says is that there is a culture of convenience.
"I still have customers, board members in customers who call me and ask me, ‘how should we measure ourselves?' ‘How should we determine whether we're successful?' Their IT teams often are telling them that they are patching 90 percent of the time and that's a win. Like it's an A minus, right? The reality is if you have 100,000 computers and you're patching 90 percent of them, 10,000 machines are still completely open, and they probably have customer data and other sensitive information on them. You're almost guaranteeing failure."
For Hindawi, it's a key reason why the cybercrime statistics are not getting any better. Skills shortages and growing threats are not making this any easier. Hindawi is pinning his hopes on increased automation, as it's the only way, he suggests, that organisations can truly keep up. At least that's one way to solve the squabbles between IT and security teams.