Treat IT security the same as workplace safety: Verizon

Verizon's cybersecurity arm believes the way an Australian company handles health and safety on a building site should be employed to tackle cybersecurity.
Written by Asha Barbaschow, Contributor

For a country that places so much focus on occupational health and safety in a work environment, Verizon's Bob Jennings wants to see Australia give cybersecurity the same attention.

As the head of global critical infrastructure protection cybersecurity for the US organisation's RISK enterprise, Jennings believes security is everyone's responsibility, and Australian businesses are slow on the uptake.

Jennings said that if something happens to an employee and they are injured at work, it could cost the company a lot of money, adding "it's a trust that the employee has on their employer".

"Why do companies ask you to read, and sign a disclaimer in the workplace? Ideally we would like to say they're concerned about their employees," he said.

"We need to think about security and a breach the same way. Am I going to get sued? Is it putting my company in jeopardy and impacting my brand? Are my employees at risk? Is it putting my customers at risk? All of the same ideas as workplace safety apply, yet look how easily we do safety and build it in across the board."

He said businesses currently do not do the same things for security, despite the mass of tools available.

"If you think about it, it's the same. When you do a safety briefing, do a security briefing. That's really important as one of the top things [regarding cybersecurity] is insider threat."

Jennings said that security can no longer be viewed as an IT domain, adding it is everybody's responsibility, regardless of how big or small your company is.

"As an employee I need to know I can't plug my phone into the USB port on my computer, not just because I'm being told, but because I understand why."

Jennings said a business needs to be able to prepare, predict, and understand that breaches and attacks are going to happen.

"It's the ability to not just respond and react, but more importantly, you want to be able to prepare, and help them know where the world is going; you need to not be afraid of security," he said. "The reality of the world today is, unfortunately, even though we've been working really hard to address security, it's worse than it ever has been. And it's just going to get worse."

Highlighting the Internet of Things (IoT) as the future of the IT industry, Jennings said the overall surface area of exposure is increasing dramatically.

"The world that we live in today is already starting to be hyperconnected; this consumer-driven desire to be connected to everything is what's going to drive business direction," Jennings said.

"And the people who perform the attacks, the people with the motives, the means, and the opportunity to attack victim organisations has changed pretty dramatically; there's equally going to be more people out there that are after them [IoT devices].

"We have an area of pretty critical infrastructure -- operational technology and control systems -- which covers heating and air conditioning controls, factory floors, robotics within work facilities. Traditionally these were always isolated systems that people couldn't get access to -- now the heating and air conditioning guy can dial in from his office."

With every company potentially vulnerable, Gartner predicts that by the end of 2017, more than 20 percent of enterprises will have digital risk services devoted to protecting business initiatives using devices and services in the IoT.

The analyst firm expects changes in computing fabric, devices, and services formed by digital businesses to continue to shape risk and security landscapes.

Christian Byrnes, managing vice president at Gartner, said business imperatives are what have driven the convergence of IoT, which he believes is still transforming most enterprises into digital businesses and thus reshaping cybersecurity.

"An inflection point in business and technological innovation has occurred, which we refer to as the 'digital explosion' and the 'race to the edge'," Byrnes said.

"Cybersecurity professionals are the new guardians of big changes in the organisation."

Byrnes said that such professionals must practice business resiliency and adaptability, as leaders cannot tell where business ends and cybersecurity begins.

"The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do, to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organisation."

Last month, Gartner said it expects worldwide security spending to reach $75.4 billion in 2015.

In 2014, an estimated financial loss of $400 million was the result of 700 million compromised records around the world, according to the Verizon 2015 Data Breach Investigations Report (DBIR).

Released in April, the report said that the industry seems to be getting better at detecting data breaches, with around 23 percent of breaches now discovered within days, compared with around 10 percent a decade ago. However, those behind the breaches are getting better. In 60 percent of cases, attackers were able to compromise an organisation within minutes, with the majority of breaches remaining undiscovered for weeks or even months. As the industry gets better at defence, the attackers get better at attacking.

Jennings said another issue people do not really understand the intent behind is opportunistic hacking.

"When we think about what terrorism really means, it's the desire to cause conflict within a community," he said.

"If I can take this opportunistic hacking element and find one small 'in' in your company, not really to do a whole lot of damage, but I have an 'in' and I can make that known, imagine if I found five public utilities and made it known publicly that I have breached you. What's that going to do your industry?"

Verizon found Intellectual property (IP) theft is a major issue for many organisations, recording over 450 breaches in which organisations' trade secrets were stolen -- or suspected to be stolen -- in 2014. Verizon said that whilst attackers compromised IP in just minutes, it took organisations months to discover a breach.

Editorial standards