Understanding your data is key to securing it

Recent years have seen Irish businesses step up their response to the growing cyber threat. Damien Mallon, senior systems engineer at managed service provider Datapac, said that this has been a noticeable phenomenon, with more companies coming to them, driven by a new awareness of the risks.

“I would think that, in the Irish market, the HSE attack was a major motivating factor. I’ve been working in IT security for over ten years and that sharpened minds more than anything else ever,” he said.

Regrettable as it is, this makes sense: the attack on the HSE shattered a number of illusions, not least among them that Ireland was too insignificant to be a target. Other notable attacks in recent years were typically abroad – think Colonial Pipeline or Target – while those known about in Ireland, such as on two higher education institutes just prior to the HSE breach, seemed to be understood only in the abstract.

“Unless something affects you it’s a headline gone in an hour. The HSE attack really struck a nerve, though,” said Mallon.

This has now changed, with business responding to an obviously changed threat landscape, including at board level.

“We saw a range of people come to us [and] it made our discussions easier with non-tech business leaders. I have no doubt it was a watershed moment. Now, how long that lasts remains to be seen,” he said.

Understanding the estate

Datapac offers managed security operations starting with a full audit of the IT and information estate of a business. This, Mallon said, was essential as the true goal was to protect business operations.

“We got ISO certified a number of years ago. What those standards demonstrate is that without a full business understanding, your security products are scenery. You need to understand your businesses, the process and the data. Doing it any other way is just a box-ticking operation,” he said.

In fact, Mallon said, some of the time companies are just trundling along, largely because IT is not their business activity and so it tends to slip down the agenda.

“I can’t say that for all companies, but I have encountered it,” he said.

Key questions that need to be asked centre on just what systems and data a business has: have you got a software inventory? Have you got an app inventory?

In some cases, this is complicated by the use of custom software.

“We have clients with in-house developers and they don’t have vendor support, of course, but with turnover of staff you can have the product become something of an unknown. The more you deviate from the centre the more difficult it becomes to support,” he said.

Nevertheless, understanding the data is essential. Indeed, one additional benefit is that cost savings can be achieved by data cleansing.

“One customer was able to take one terabyte of old data out of the cloud and make a saving. Having too much data is not only harder to secure, it’s going to cost you money,” he said.

This can be daunting: people are afraid to break things and don’t want to put their neck on the line, but the day is approaching when they become a potential problem.

This is doubly true with so-called ‘operational technology’, Mallon said.

“Industrial control systems, devices in hospitals, security cameras, the internet of things… there’s a big rush to get everything online, but an internet-of-things device, by nature, is about usability not security. Security is often an afterthought,” he said.

Whatever array of devices are being protected, however, the goal will always be to protect against attacks as well as, if necessary, have the ability to respond rapidly to them and then, if a breach has been successful, recover.

“Disaster recovery and back-up are things that we always think about as business continuity, and that is part of the overall security, but a layered approach is essential. You must assume loss of data, and then know where you then go to recover,” Mallon said.