Security for Your Security
Security for Your Security

Consensus, or at least the mutual acceptance of certain fundamental principles is rare across academia; rather, through dialogue and debate, individual viewpoints are challenged and progress occurs. The one exception, however, is the common pursuit to better predict and understand the future by first examining the past. With the benefit of hindsight, it is argued, individuals can spot trends to avoid pitfalls and better inform their decision making.  In this manner, individuals create their own preferred outcomes and efficiencies by identifying the past generations’ errors. And humanity marches on.

It may not be surprising, then, how academics and industry experts have struggled with the notion of cybercrime that has proliferated into one of the single most pervasive plagues affecting global corporations and communities alike. As this post is being penned, it is very unfortunate but likely that another data breach will be reported, another election result questioned and other system vulnerability exploited.

Perhaps the lack of preparation stems from the lack of reference points to use when assessing where to begin their analysis. But it is within this new paradigm, all individuals agree this problem needs to be tackled holistically with eradication as the shared outcome. And, as precedent has made clear, experts should revisit the past to guide their conclusions about the future.

How We Got Here: Revisiting the Past to Understand Cybersecurity

The advent of the now-anachronistic ‘micro’ computer began in earnest in the 1970’s. Soon thereabouts, what we now refer to as the internet emerged, though true ‘public’ availability of the internet has existed for less than twenty years. Since that time, we have been ill-equipped to both laud the successes of information sharing and to protect against the dangers associated with the rapid pace of change heralded by the internet. In response to this challenge, corporations and communities have sought advice from information security research agencies, consultants and vendors to backstop their purchasing decisions and offer solutions to protect against known dangers. And therein lies the problem. This has proven to be quite difficult as the computing landscape has morphed in the past decade from personal computers to laptops, tablets and smartphones with the focus on big data and confidential or proprietary information exponentially outweighing the value of the device itself.

An externality of this rapid growth has been the acute focus on device reporting and analytics to the detriment of device management.  The inexorable march towards the commoditization of the computing devices has softened the burden on device location and retrieval, provided the underlying data could be certified as intact and untampered.  Not surprisingly then, the average U.S. corporation utilizes between 4 to 10 security tools in their IT stack to protect that underlying data; ensuring device integrity and defending against the untoward actions of malfeasors. While this level of investment may seem excessive, even in the days of feudalistic warfare, a seemingly un-scalable wall only encouraged an incoming army to equip themselves with a larger ladder and their foe to defend themselves accordingly.

Today, we are in a constant struggle to defend against cybercriminals. They keep constructing longer ladders to scale our walls, no matter how much we try to fortify them. What happens next is to make sure that the wall is insurmountable.

Where Are We Going: Predicting the Future of Cybercrime

By 2021, Cisco predicts that more humans will use mobile phones than will have access to running water. This pervasiveness of smartphones and the computing devices in general has led to a corollary growth in the information security software market. One need only review the latest Gartner Magic Quadrant or Forrester Wave report for evidence of how crowded the marketplace for security vendors has become, as well as the ingenuity of how these vendors are seeking to thwart cybercriminals.

One common theme underlying certain security solutions is the notion of visibility, or often the lack thereof. Whether it is understanding the identity of your perpetrator, spotting a possible attack vector, or identifying a security tool that may be improperly configured, it is integral for all organizations to polish their glasses and ensure that full transparency is available.

The Center for Internet Security agrees, listing inventory and control of both hardware and software assets among the highest priorities to defend against cyber threats. European regulators are following the same route, encouraging compliance with the recently-enacted General Data Protection Regulation (GDPR) as a journey that begins with a comprehensive data and asset inventory. Some say that legislation will always be outpaced by technology and innovation; in the case of information security, however, the legislators may be catching up.

If we want to learn from the mistakes of the past, we can see that many of the largest cybercrimes to date have occurred because full visibility was not actually achievable. Major ‘incidents’ in the past decade at major U.S. retailers and corporations have led to the loss of billions of dollars. These incidents have also shown the full spectrum of nefarious actors’ capabilities in defeating even the most austere technology infrastructures. The corporate response to this latest stream of cyber attacks has been to create a layered defense strategy to protect against new or similar incidents. Corporations rely on encryption, antivirus, firewall, multi-factor authentication and other administrative safeguards in addition to robust internal training programs to pacify themselves, and other corporate stakeholders, that this defense-in-depth philosophy is ironclad against even the most sophisticated attack.

Gartner predicts that global information technology spending will increase 6.2% in 2018: the highest rate of growth in over a decade. Courts and legislators have responded in kind with guidelines and rulings that point to multi-pronged device management strategies as fundamental when representing that your information technology posture was ‘industry standard’.  Further, cybersecurity insurance policies offer additional reassurance for corporations, though with certain exceptions and exclusions.  And yet, even with all of this rigour, some of the most sophisticated global corporations lack fundamental device and data visibility. These “ironclad” defense-in-depth strategies are missing a critical component: visibility. To continue the analogy, if you cannot make sure your wall is standing up strong, how will you know it is working?

The Solution: Back to Basics

The return to sound asset management practices signals a hard reset in the information security market and a return to basic corporate hygiene that emphasizes 20/20 visibility.

Corporations are spending more time and effort identifying their weaknesses by first surveying their existing device population, network perimeters, distributed workforces and potential data drifts. In this respect, the best offense is a good defense.

Rather than starting from scratch and discarding incumbent technology, corporations require a solution to underwrite these investments. A solution that makes sense fiscally and technologically, and responds to the strictest of privacy proponents and regulators. Enter Persistence technology by Absolute, an inimitable platform designed specifically to bolster any corporation’s existing information security infrastructure. This platform will work alongside your resident security tools to help construct an omniscient information technology department for any corporation or community.

In times of conflict, empires would spend their downtime reinforcing and reconfiguring their castles with arrow slits, moats, enceintes, keeps and watchtowers to survey incoming armies. It is useful to remind ourselves that the success of these empires was often measured by their preparedness in the face of incoming attacks and their ability to rapidly direct their own soldiers. Visibility and management, above all things, was – and is still – paramount.

To learn more about Absolute’s Persistence technology, how it can help harden your security defenses, and the return on investment it offers, download the Forrester Total Economic Impact report.

ABOUT THE AUTHOR

Oliver deGeest

Oliver deGeest has served as Absolute’s Vice President, Legal since 2014. He leads the global legal function across the company. Previously, Mr. deGeest worked as a corporate attorney at Weil, Gotshal & Manges LLP in New York and at Lawson Lundell LLP in Vancouver, B.C. Oliver has a bachelor’s degree in political science from the University of British Columbia and a Juris Doctor degree from the University of Toronto, Faculty of Law.