Securing the business is a process

Information security is as much about people as it is technology

Gerard O’Connor, security and network architect, Triangle: ‘One of the worst things you can do in security is “set and forget”. It's like having a plant you put out, but then you never nurture it or take care of it.’ Picture: Mac Innes Photography

One of the greatest changes in the information security landscape has been a move to so-called “zero trust”. Effectively an approach to designing security architectures based on the premise that every interaction begins in an untrusted state.

“Zero trust allows organisations to take back control. You’re saying you don't automatically trust the user or the device. Instead, you authenticate and you validate,” Gerard O’Connor, security and network architect at managed service provider Triangle, said.

This is not actually a new approach to security, he said, but it has grown in popularity in recent years, largely because traditional “perimeter approaches”, effectively the building of digital walls around businesses, no longer afford sufficient protection.

“In fact, zero trust has been around, in one form or another, for 20 years. The problem is that people didn’t implement it. The HSE, for example, could have benefited from zero trust, where instead of just connecting devices the system demanded proof,” O’Connor said.

There is a wider issue at play, however, O’Connor said.

“One of the worst things you can do in security is ‘set and forget’. It's like having a plant you put out, but then you never nurture it or take care of it”.

With traditional IT security, this approach often left companies wide open to attack.

“You punch holes in the network to allow the user to do what they have to do then, later, decommission a system, but the holes are left there. What you really need is continuous assessment,” he said.

People and process

A major part of any continuous assessment of security needs should put people and processes in place before the technology, O’Connor said.

When it comes to hiring IT security professionals, this is simply not an option for most businesses, he said.

“You have to find [information security] people, and there’s a shortage of talent, then you have to train them up, not just once, but continuously,” he said.

And yet, the threat landscape is getting worse all the time.

“I saw a stat recently saying there has been a 600 per cent increase in cyber attacks in a year – in a single year! It’s just getting more and more dangerous”.

Process can make a difference, however. Indeed, one recent report found that between 81 and 89 per cent of breaches were via e-mail – essentially “phishing” attacks and business credential compromise. The answer, then, is to make sure staff do not fall at the first hurdle by training them to be alert to possible deception.

“Security is about people, process and technology: you need the people, and you need to train them to do their best to identify when things might be fraudulent, though these things look more and more real all the time,” O’Connor said.

This is not to say having staff on high alert is the only leg of the security stool, and businesses do need to recognise that people are fallible. Nonetheless, it is a starting point.

“I’ve never in my life met a person who hasn’t made a mistake, hasn’t had a momentary lapse, [but] you have to build a culture that people understand and can take part in,” he said.

“Only after that comes the technology, and the model now needs to be ‘prevention first’. What you don’t want is a notification saying, ‘You were breached and we did nothing’, so managed service providers should be using technology such as AI [artificial intelligence] to decide if connections are bogus. If they are, block them,” he said.

This practice, known as XDR or “extended detect and response”, greatly improves a network’s protection against malicious intrusion, but part of the culture building in organisations needs to be around ensuring unauthorised applications and devices, known as “shadow IT”, are not thrown into the mix.

In order to achieve this, staff must be provided with the tools they need to properly do their jobs.

“Sometimes people do things with shadow IT for malicious reasons, but more often than not they’re doing it because it’s easy for them. People want an easy life,” said O’Connor.

Notably, shadow IT rose during lockdown, with remote workers lashing together solutions using any internet-enabled apps they could in order to get the job done. This kind of ad hoc approach is not necessary, however, and O’Connor said that the novelty of remote work has been overstated.

“People say remote work is new and came about because of Covid, but that’s not true. There was remote work 20 years ago. It’s just that the technology has made it feasible for a greater number of people. However, what has changed is that it has proved that the perimeter doesn't exist anymore. People are everywhere and anywhere: they’re at home, they're in a coffee shop, they're in airports,” he said.

No security solution will ever offer perfect protection, but O’Connor said it was the job of people like him to guide businesses to a place where they understand where they are on the risk spectrum and to ensure they have processes in place to mitigate the risk.

“It’s endpoint control, to try and mitigate the risk. And that’s all any of this will ever be: mitigation to try and ensure your business isn’t ground to a halt. These are the problems we’re here to solve. We deal with all sizes of business, because nobody is immune,” he said.