Canon Europe’s director of information security Quentyn Taylor urges businesses to go back to basics in order to counter the proliferation of cyber threats.
The increase in cyber attacks in recent years has led to IT security becoming a business-wide priority. However, the almost-daily headlines of data breaches and defrauded customers often lead to uncoordinated responses from many businesses. Observing such behaviour, Quentyn Taylor, director of information security at Canon Europe urges businesses to go back to security basics.
“There is a lot of focus on the advanced attacks with organizations forgetting that the basic cyber hygiene factors are at the root of many of the security issues that they face today. It’s easy to focus in on the James Bond-esque nature of some of those attacks when, in reality, the core [of the security problem] is down to lack of patching and shared credentials — basic issues that we’ve known for years.”
With security now high on the business agenda, the working relationship between the CIO and CISO needs to be closer than ever, even as the tension between the two roles (one charged with responding to the business’s demands; the other ensuring that those don’t expose it to risk) persists. Thankfully, says Taylor, there is a new understanding of security dynamics within executive management. “Security among C-suite execs has evolved considerably in the past years. They have realized that security is not something that someone else does, it’s something that all of us do and that it’s critically important to their business.”
Despite Taylor’s optimism about security’s relationship with the rest of the business, it is still trying to lose the label, “The department of ‘no.’” Taylor blames a lack of communication between teams: “When you have information security teams properly embedded and talking directly to the business people at the right level then that question about yes or no never really comes up.”
In a 2017 survey by Pierre Audoin Consultants
cybersecurity was cited by about half of respondents as a barrier to the ability of business to adapt to changing working environments. The same proportion also regarded security as having a negative impact on productivity.
Defending the much-maligned security department, Taylor insists security is not a barrier to digital transformation. “You’ve got to make sure that what you want to transform is going to be sustainable long term. To ensure the revenue streams that are going to transform [the business] are secure, the data has to be secure and the systems have to be secure. Unless you have all of those pieces controlled then your transformation is not built on a solid foundation. So security’s never the department of no. It’s about the InfoSec team and the business people meeting together to take a risk decision with their eyes open.”IoT and security
If security is left out of business conversations or not taken seriously, the consequences are obvious. Surprisingly, such thinking is not always extended to discussions around IoT devices, even though security professionals have been decrying the lack of caution around IoT adoption long before the first toothbrush or fridge was connected to the internet.
“IoT and security is absolutely a massive topic,” says Taylor. He points to the Mirai botnet that attacked the domain name system (DNS) infrastructure of Dyn in 2016 taking down some of the most used sites across the internet, including Twitter and Reddit. “Mirai was made up almost entirely of misconfigured IoT devices, and it took out an underlying DNS provider. That meant that around half the internet suddenly went dark for a few hours.”
New IoT botnet incarnations, such as Reaper and Satori, could have a more profound impact. “The threat this brings is the real possibility of cyber criminals starting to exploit the fact that we depend upon IoT devices,” says Taylor.
Who is to blame for the naivety around IoT security? Taylor points to two places. Some manufacturers who are embedding IoT into their products don’t comprehend the problems they are storing up for the future, he says, and businesses and consumers are not asking the right questions about the products they are buying. “They focus in on the shiny devices without thinking what the implications are,” he says.
He advises: “When considering an IoT device look at what data is going to flow through it and how to control that data.” Securing IoT devices follows the same principle as securing any computer, he says. “It’s about making sure that you’ve got the ability to secure, patch and update the devices.”
Asking the right questions and addressing the basics goes a long way to tackling the IoT cybersecurity threat. But, while it may be intimidating, the scale of challenge can’t be ignored.