MATTHEW PARSONS (MP): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
I'm Matthew Parsons, Director of Network and Security Product Management at Sungard AS, and today, I'll be joined by a number of other Sungard AS experts to discuss how to stay resilient in 2023.
With cyber attacks on the rise, companies are investing more than ever in their security solutions, spending tens, even hundreds of thousands of dollars a year to secure their environments. Yet, despite all the investments spent on security tools and services, there's one critical element often overlooked which can be the weak link resulting in a breach. The latest 2022 IBM Security Report revealed the most common initial attack vectors were compromised credentials at 19%, phishing at 16% and cloud misconfiguration at 15%. Fifty percent - half - of the breaches in their study were caused by some type of human error.
In a separate IBM Threat Intelligence Index Report, that sample dataset showed 41% of the initial attack vectors were caused by phishing. And just last week - you might have seen it in the headlines - Uber, the giant ride hailing business was hacked, with the hacker releasing a statement that they gained initial access to Uber’s network via social engineering. They posed as an IT worker and tricked an employee into sending them login credentials. Ladies and gentlemen, the security weak link your company should focus on is the human element. You can have all the security controls in the world, but if you have an employee opening the door for hackers to freely walk into your network, you're going to have a bad time. With that said, here are three things you can take away to ensure that your business stays secure and resilient in 2023.
First, invest time and money into training your employees. For as much time and money that is spent on tools and security widgets, don't forget your employees. Conduct mandatory security and compliance training on a regular basis, educate your employees on the risks and common techniques associated with phishing and social engineering, make it easy to report suspect activity to IT and security and conduct regular phishing and social engineering exercises to help reinforce the learning for your team.
Second, assume that humans will be humans. Plan that Bob will give out his credentials or that Karen is going to open that bad email attachment and that at some point, a bad actor will be let into your environment. This means employing a zero trust, least privilege access model with all the components of a robust defense in depth solution.
And third, be prepared for the worst. Have your regularly tested DR and incident response plan to ensure that in the case of a worst case scenario of a ransomware you have offsite, immutable, air gapped backups, which you can restore into a cleanroom for forensics, cleaning and scrubbing to then go live with.
So to summarize, don't forget about the human element - your employees - as they can be the strongest or weakest link in your security posture. With that, joining us next to talk about what he thinks businesses should most be preparing for in the coming year is Rob Corso, Security Consulting Solutions Principal at Sungard AS.
ROB CORSO (RB): Hi everyone.
What we want to talk a little bit about today are three main areas that we'd like to cover. The first being that what organizations need to really focus on and understand is really the threats that impact them and how to align their defenses with the threats specific to their industry, how they distribute data and areas such as that. That really gives you the key to understand what applies to you and what doesn't.
And secondly, some of the critical areas we'd like to talk about is being in a position to understand what resilience means to your organization by having, quite frankly, an understanding of how systems are maintained, how they're patched over time and really being able to use that as a mechanism to ensure that what you’ve built stays secure over time. Sometimes what we find is that unfortunately, there's no one solution that fits every organization, so really, what seems to work best for organizations is a point in time assessment of the program, and naturally the technical controls so that you can prioritize what needs to be remediated.
Train the folks that are involved from IT to HR to the end users, application development, you name it, and maintain that culture of security within your organization. Building that resilience and culture within your organization will go a long way to maintain it over time. I wish everyone the best of luck. Thanks again.
Next we'll hear from Asher de Metz, Senior Manager of Security Consulting at Sungard AS to talk about some ongoing events that businesses should be aware of and how they can prepare.
ASHER DE METZ (AD): I think a little historical context is really important when looking ahead so we can learn from the past. In previous years, we've had a serious lack of emphasis put on the essentials of cyber security. If we look at all the news reports of the major breaches, all have been based around some elements of basics - the basics of cybersecurity patching, password hardening, filtering, segmentation, the very very basics. And it’s not that companies don't care or that IT folks don't care, it's that they don't have the headcount there to install and configure these essentials of cybersecurity. That’s in boom time, but now we're getting into difficult, turbulent times. Difficult as in the economy so there are going to be eliminations in headcount. What that's going to mean is that there's going to be even less people available in order to make sure that the basics of cybersecurity are set. So when we couple that with other elements in these foreboding times, you're going to have a lot of people that are gonna be desperate and hungry and very motivated to commit cyber crime in order to get money and feed their families. That is going to be putting a lot more pressure on companies because cybercrime is going to go up significantly, with people who have got literally nothing to lose.
Then you've got another element that's going to come into play, which is going to be Russia. Once the war with Ukraine is over, they're gonna turn their sights on a lot of companies and lots of countries that attack them in some sort of economic way or other whether it's directly against Russia or against the oligarchs, taking their yachts and the like. So it's going to be Russia hacking a lot of these companies in order to get some payback.
Then we've got China attacking Taiwan. Well, if the U.S. gets involved, China is obviously going to ramp up their attacks. So we've got a lot of dark clouds on the horizon meaning that cybercrime, cyber attacks are going to go up significantly. Headcounts are likely going to be reduced. So what I will be recommending to companies is to not reduce headcount, but actually increase it for cybersecurity teams and for IT teams so that they can dedicate their resources to taking care of the essentials of cybersecurity. This isn’t the million dollar software package that’s supposedly going to save them, the cherries on top, this is just the very very basics that are essential to keeping the company secure.
Up next, we’ve got Darpan Thaker, Senior Director of Product Management at Sungard AS. He’s going to share some thoughts on staying resilient.
DARPAN THAKER (DT): Thanks.
So as far as resiliency is concerned, especially with this age of digital transformation and also in wake of ransomware attacks everywhere out there, there are a couple of things that come to my mind when it comes to resiliency in 2023.
With all this public cloud transformation or migrating all your workloads off of one premises to public cloud, sometimes people assume that, “hey, if I'm in public cloud, I don't need DR or I don't need resiliency, right?” That's not true. When you are migrating your workloads to public cloud, you’ve got to design your environment in such a way that you do not have any single point of failure as far as a production environment is concerned. So basically, the availability zones, making sure that your resources would be available for your business, irrespective of what happens on the production side of the business. And also, have a DR region within the public cloud platform where you can go ahead and replicate your workload, your systems and applications and make sure that if there is an extended amount of updates within the production region of the public cloud provider, then you can always go back to the DR region, bringing up your systems and applications that you need.
Also, you know, with the public cloud adoption, we have seen a lot of adoption with a SaaS provider - Software as a Service provider. It could be outsourcing of a business process or maybe, software as a service that you want to leverage for your environment or your business process. Oftentimes customers do not ask the right questions to SaaS providers so they kind of take it for granted or on the face value that when I subscribe for this SaaS service, my resiliency is kind of granted. However, that may or may not be true, based on with whom you're working. So if you're signing up for any SaaS provider, make sure that resilience is kind of built into their offering. You probably have some level of SLA that you can count on your vendor. If something goes wrong, they can go ahead and bring up your environment, whether it's the production side of the business or disaster recovery side of the business. So that is another nuance that I would definitely address and like people to address in 2023.
And last but not the least, obviously, with ever-increasing ransomware attacks, you've got to make sure that you have the right level of mechanisms in your environment to detect this kind of attack and ultimately, if something sneaks into your environment, how this modern data protection solution can give you immutable and air-gapped backups, other features and functionalities along with maybe your role in some type of recovery simulation as well to make sure that you have the maturity as an organization to go out and restore and recover your systems and applications if something really goes wrong. So, again, a few thoughts out there, whether transforming to the public cloud platform or subscribing for a SaaS based service, make sure that your organization is resilient for cyber or ransomware.
(MP): You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow. Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they're available.
IT Availability Now is a production of Sungard Availability Services. I'm Matthew Parsons and, until next time, stay available.