Functionality, security and how not to become the next NHS casualty
by James Dyson, Business Development Manager, Infradata UK
I'm positioning myself as a new kind of hero. I won't wear a cape (my legs are too short) but I am fixing cyber crime once and for all. Sure you could spend millions but you won't be safe. The ONLY way to be safe is to unplug your network. Once you've done that, burn your clothes, put a tin foil hat on and curl into a ball and rock yourself to a peaceful sleep dreaming of cyber heaven.
Let's get some perspective here. For years companies have invested in faster networks. Low latency was nirvana and cloud enabled tea pots flew into peoples LinkedIn streams. We've been here before. Last time around it was resilience, if you could figure out how to navigate the perils of ordering, let alone delivering a diverse service then RA02 was your thing, followed by a tertiary line. A few years prior to that we still had modems on ILO ports so you could dial in from home and reboot your AS400....that was until the script kiddies worked out war dialers and ruined all the fun. Always on was an absolute must, no compromise.
Security has never been the primary consideration. It's always been a compromise. If you start with absolute security (remember being curled up in a ball with a tin foil hat on?). As we move down the levels, you are compromising security, so the magic is in providing adequate protection that doesn't compromise function.
Function is NOT "it needs to be super bang wizzy fast and I'm not typing in any passwords". Function is providing the service the solution was designed for. Security is the wrap of education and service around that function that ensures that the risk of compromising the function to obtain data or prevent function is minimised.
If you are in charge of running your network, application, website social events then you have an obligation to try to protect it. Don't leave it to CISO, get involved. If you are a CEO make sure that the shiny new network you've just bought, or the fluffy cloud you've just evangelised about, has the appropriate security measures and educational resources applied to them.
Until we all accept it's all of our responsibility to maintain a level of control this problem will continue. There are tools and processes you can implement and there are some very good ones at that, but without a sensible approach you are burning cash and paying the new wave of ransomware pirates. It’s really easy to blame whoever didn’t upgrade the Windows XP devices at your local NHS trust, but let’s have some clarity. The obfuscation and complexity of frameworks that is wrapped around delivering service to these guys is ridiculous. There is a requirement for frameworks but when they prevent appropriate action they are pointless. The issue here isn’t one of negligence, it’s one of opening up the public sector space and allowing them to breathe and make informed decisions.
I could try and sell you an NGFW, WAF and sandbox, but I’d rather plant a seed of thought and let you make your own decisions based on an educated position.
Sure, security should be a focus, but before you correct me check your own LinkedIn setups and let’s see how many of you have 2 factor authentication enabled.....why would you, it slows you down, right?