The growing volume of data breaches highlights a worsening IT security situation that – without intervention in the form of breach reporting laws – is paving the way for many of the worst-case scenarios outlined in recent CSIRO report to come true, a security strategist has warned.
Reflecting on the growing number of data breaches – over 807 million since 2013, according to SafeNet's ongoing Breach Level Index – SafeNet chief strategy officer Tsion Gonen told CSO Australia that businesses all over the world were continuing to delude themselves about the threats they face and the resources required to beat them.
"The threat is real, but the way that we look at it is not," Gonen said. "We talk with a lot of organizations around the world, and there's a perpetual imbalance between trying to protect assets and needing to be successful all the time."
"Attackers only need to be successful once," he continued. "So, it's not about whether it's going to happen, but about when it's going to happen and what we do to prevent it happening. For 25 years it has been about breach prevention – but if we keep using the methodologies the security world has been looking at until now, I would say it's destined to fail."
With no formal breach notification laws in place, the lack of visibility into these failings was perpetuating a culture where insufficient security was being left to continue unchecked.
Such a culture will potentially compromise Australia’s national productivity, bringing to fruition a threat raised in the CSIRO's recent security report, Australia's Digital Future.
That report noted the risks of an increasingly vulnerable environment, evolving cyber-security landscape, increased technological dependence, and changing social trends that have made, as the CSIRO report puts it, "a capability of crucial importance."
"Our national progress is directly tied to our ability to minimise risk exposure without limiting progress," the report's authors note, with a scope of analysis extending through 2025 that is designed to inform forward planning and investment considerations for the future.
With Australia suffering the fifth highest level of malware infections worldwide and CERT reporting well over 8500 incidents during 2013, the threat landscape is already significant. This is only expected to increase as healthcare providers embrace cloud computing; researchers build connected service ecosystems; online government links citizens in new ways; building monitoring expands the use of sensors and controls.
All will, as the CSIRO puts it, "lead us to becoming more dependent on the use of technology, or more specifically, on the underpinning technology infrastructure that makes that usage possible."
But with network boundaries "dissolving" and network traffic increasing, Gonen warned that businesses need to become more open about their vulnerabilities – as has happened in the US because of mandatory breach laws – and more ready to take action.
"Breach notification laws promote security and force people to think about it," he explained.
"You can't necessarily solve for every scenario, and can't perfect everything. But you do need to think about the worst-case scenario, and take it step by step starting with the most important areas."
For too many companies, however, an out-of-sight-out-of-mind perspective on ICT had proved problematic to implement because many within the companies haven't given enough attention or resources to fixing the problem.
"As an industry, we're being forced to evolve because of what's happening," he said. "It's about thinking in advance, and building security into the infrastructure instead of trying to put in walls to prevent issues."
"People don't want to be the next target, but the fact that we start talking about it will not cause it to happen more. It's an important conversation to raise."