Whether it's resisting change from necessary security measures, not understanding the risk to a business, or being a rogue employee who circumvents corporate security completely, people are at the centre of security failures or compromises.
In a ZDNet Australia panel discussion held on Thursday, September 5, in Sydney, five high-ranking IT officers discussed what their greatest fears for their organisations were, and whether the businesses even know what their risk profiles are.
ZDNet heard from the top IT minds from the Federal Treasury, Transport for NSW, Harbour City Ferries, and Deloitte Touche Tohmatsu.
A disconnect between IT and decision makers
Deloitte's national lead partner for security Tommy Viljoen said there is a significant disconnect between what IT decision makers such as the executive board see as acceptable, and the IT managers or operatives that are responsible for the actual exposure of risk.
"The business sets the risk appetite of the organisation, and therefore they should understand where the level risk has been set from a security perspective. A lot of organisations we go into, there's a disconnect between what the business thinks they've got, and what IT has been delivering," Viljoen said.
Transport for NSW is in the minority, using its previous experiences to present a case to decision makers for what could happen in the event that hackers infiltrate their networks and force an outage.
At the moment, no outages on the transportation network have been as a result of an online attack, but its general manager for security and risk Ajoy Ghosh is now able to quantify to the business how much one would cost. His cost estimates are accurate enough that Transport for NSW is now able to predict the economic cost to the state if, for example, a two-hour outage on the Sydney Trains network were to occur.
While Ghosh appears to be far ahead of others who are still stuck trying to justify the financial costs of implementing and maintaining their security systems, he said this isn't the only challenge that he and others face.
"What [decision makers] don't have a clear idea of are the different IT security events that would cause those impacts.
"What I find myself doing is having to educate the decision makers, firstly about those impacts, and secondly about the dependencies of the different IT systems."
Treasury CIO Peter Alexander had a similar former story of the disconnect occurring within the organisation, but with middle management being unaware that their risk profile was much larger than they believed.
"Our biggest disconnect was our executive and our mid-level managers. Our executive would say that I have this particular bit of content that I know six people across the whole of Treasury have access to ... and, of course, it would [actually] be 40."
Part of the problem, he said, is that organisations are encouraged to collaborate and share information. While he's an advocate for such behaviour, Alexander said that it often results in heads being butted.
Scaring the pants off your board
Contributing to his solution of this problem has been education, and who best to learn from in Australia but the top spooks themselves from the Australian Signals Directorate (ASD), formerly known as the Defence Signals Directorate?
"They come and brief our secretary's boards, and scare the pants off them," he said.
"They would get your laptop and they would go, 'This is how we break into a laptop,' and 30 seconds later, they're starting to get content off it even if it was encrypted."
As for briefing decision makers, the frequency of these sessions varied depending on the industry. Ex-IT directorate program manager at the Department of Education and Communities, Youssef Moussa, said that these discussions should typically happen weekly, but when previously working in the financial services industry, meetings on information security and risk would happen almost daily.
Implementing security measures
The Treasury is one of the few organisations that have not only implemented the ASD's mandatory top four mitigation strategies for security, but also the majority of the remaining recommended ones.
"Agencies freak out when you do it, because you go, 'You've got to have application whitelisting, critical patching within two days, access controls, and things like that,'" Alexander said.
"But we bent our culture a bit and got people saying, 'This works. This enables you to do your job better, more securely,' and it works pretty well."
Application whitelisting has been a boon for the Treasury, with Alexander saying that even if users fail on the education side and click on a link, the whitelist means that the malicious app would never launch, or if it is spawned from a drive-by website, it has already been blocked.
A lot of other departments and agencies are having difficulty complying with the now-mandatory requirement to implement the top four strategies, with Alexander saying they either attempt to sign waivers to the effect of accepting the risks or ask for more time. However, he said it isn't as painful as it seems.
"We turned on BitLocker in the background, let it run for three months to see what it would break, and went, 'It breaks this, it breaks that, now let's turn it live and see what else it breaks,' and it didn't break that much."
Biggest security concerns
The Treasury has a significantly higher standard for information security. Defence's cyber and information security division deputy director Stephen Day said earlier this year that any business connected to the internet and involved in the defence industry is a target for state-sponsored cyber espionage.
This leads to concerns over advanced persistent threats (APTs), rather than the brute-force attacks. Alexander said that the latter sort of attacks have become so routine that it no longer makes sense to report them, instead only raising the flag when something truly significant like an APT hits the radar.
Moussa agreed, stating that it's really the new APTs that break through the spearphishing attacks, but believes that his organisation sees cloud-based technologies as a pressing issue, given that student records need to be tightly controlled.
"Opening up new areas where your data is no longer under your control, to actually move data out of your organisation, that's one of the biggest areas of concerns," he said.
"It's not just lack of control, it's the ability for others external to the department [to access] confidential records of students."
For Harbour City Ferries' IT manager Adam O'Halloran, however, the biggest problem to security is simple.
"That's easy. It's people."
While most people would pick a technological issue, O'Halloran said it is really the other two aspects to the trifecta: Process and people.
His example was the creation of a new account for a marketing person, which was given the password of "password1". Shortly after, it was hijacked and used by scammers to spam unsuspecting victims.
Furthermore, he said that despite the technology that is implemented, it could always be circumvented.
"It's the person's perception of what is necessary [for security] and if they think it's unnecessary, they'll work around it."
Alexander is of the same opinion.
"It's people without a doubt," he said. "It's the fact that our staff can come in and we can do all these things to lock down our network and build in controls around documents, but we can't stop them taking a photo of it on their phone unless we don't let them bring phones into the building, and we're not a national security organisation, so we don't do that."
He said that people have been the weakest link, regardless of the advances in technology. He pointed to the past, where in a world prior to camera-equipped phones, people would photocopy documents and take them out with them anyway.
"We're a scarred organisation, because we did have a guy a few years ago that did leak a whole bunch of information to the opposition. It's people. You can't trust them completely. You can trust them mostly."