Almost a year on from the WannaCry ransomware attack, TEISS talks with Kevin Cunningham, Chief Strategy Officer and Co-Founder of SailPoint about cyber education, leadership and what it will take to change the system.
Kevin explains that cyber security adoption rates vary from sector to sector. Most cyber security initiatives start in the financial services - heavily regulated, complex environments – which are under a lot of pressure to be cutting edge in terms of the technology that they're bringing into the marketplace.
In contrast, the NHS is still at the 'awareness building' stage.
Getting serious about cyber crime
Kevin says: "Healthcare organisations are typically very slow to adopt new technologies and they tend to be laggards in the marketplace." Government bodies fair better in his opinion, but only slightly.
"Sometimes it takes a wake-up call to get somebody motivated to really take a serious look at cyber crime," he points out, referring to the major security breach of The U.S. Office of Personnel Management by the Chinese government in June 2015. "That was a huge wake-up call for the federal markets in the U.S. which had a great impact on rethinking the adoption of cyber security measures," he adds.
The UK government is following a similar trend but there's not been a huge call to action. Kevin thinks that it would either take strong leadership to say we're going to be serious about protecting our citizens or a major incident to shake the system up.
Also of interest: Technology vs humans: what works for cyber security?
The problem with the WannaCry aftermath, is how do you put in place the right measures to protect yourself against an attack like that repeating? Once again, humans have a role to play.
"It affects employees and actually attacks the weakest link in the security chain which is humans because people are the ones that are infected with it, then it spreads like a virus. And that's always been the case," Kevin states.
It's no longer the lone hacker, Kevin adds. These are highly sophisticated, well-funded organised criminals – terrorist cells, foreign governments - who are very patient and very smart.
Kevin sets the scene: "They may have an innocuous entry point, maybe through a partner organisation; they get in and start looking around, create new identities for themselves and by the time they're discovered – they've already stolen the data," he says.
Aware that people are the weakest link, the bad guys take advantage of attacking individuals and trying to get them to give up credentials. They don't have to have a very high success rate, all they need is to hit one employee and then use that as a leverage point into the enterprise. The average time to detect a breach is about 220 days.
Also of interest: Preventing carbon unit failures
A cyber education problem
"This is not just a technology problem, it's an education problem; it's really important to make sure that people are part of the solution," Kevin advises.
So how do we shift the employee mindset?
"It's like medicine, you have to make it taste as good as you can."
Kevin says that we have to make sure people understand that we are under constant attack and it's part of their job and responsibility to help be part of that defence. "We've got to get to the point where people just understand that it's inherently part of the job," he adds.
Also of interest: Phishing: what's next?
Getting cyber responsible
Ironically, the NHS and the government should be among the most trusted institutions. So can we trust any organisation these days?
Kevin has not given up all hope. However, he warns that the only safe assumption in this day and age is that your identity is compromised, so you have to act accordingly.
"You, as an individual, have to do your own self preservation. So for instance, when I do any online banking I don't just rely on a password - my bank gives me the 2-factor authentication option. I think there is a certain responsibility to bring to ourselves for self-protection in that regard," Kevin advises.
Organisations, whether they be government or private, should be held more accountable, Kevin thinks. They need to take the right steps to minimize the impact of breaches when they do happen, as well as providing the appropriate notification, which is what GDPR is all about.
This is a man vs. man problem, so will it ever be solved? Can we ever get to the point where I can trust X implicitly?
"No, I don't think so because the more we close one hole in our security strategies, the bad guys will try and find a new one," Kevin says.
SailPoint enables customers to efficiently manage digital identities, securely and confidently. Since co-founding SailPoint in 2005, Kevin’s mission has been to educate companies on building identity governance from the bottom up. He believes that it’s imperative for companies to bridge the skills gap to ensure every employee is tech savvy, creating a watertight operation.