SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
I'm your host Servaas Verbiest and today, I'm joined by Rob Corso, Security Consulting Solutions Principal at Sungard AS. Happy to have you on the show today, Rob.
ROB CORSO (RC): Hey Servaas. Thanks for having me. Appreciate your time.
(SV): Good stuff. We're going to be discussing a really popular topic: the current trends and developments in cybersecurity. Now this is an ever evolving topic. Nearly every type of cyber attack grew in volume in 2021, according to SonicWall’s 2022 Cyber Threat Report. Ransomware is up 105% and crypto jacking is becoming a more prominent problem with 97.1 million attacks. You have intrusion attacks up by 11%. IoT is being embraced across multiple industries and now they're dealing with IoT malware. It seems like it doesn't matter what's going on in the business, someone is looking to exploit these new technologies that are really driving innovation. It doesn't matter whether you're Microsoft, the Red Cross or even cryptocurrency exchanges, you're going to have to deal with this.
With cyber attacks continuing to increase in size and scope, what would you say are the most alarming cybersecurity trends you've seen lately, Rob?
(RC): It's interesting you ask, Servaas. One of the ones that is the most interesting is really the levels in which folks are going to implement ransomware and the way that they're attacking different data points, like you mentioned. You would think that it might be focused in any one specific area, and while there are trends specific to each industry and so forth, what you find over time - because I've studied this data as well for the past 15-20 years or what have you - the thing that's been consistent over time is that those attacks change. And what they're focusing on and who they focus on doesn't seem to have a real focus other than what rewards they can get for themselves with the data they can potentially capture.
The ransomware attacks and how they're getting to it, ways to work around things from the technology side are consistent, but I think our biggest threat, and again, folks listening to this don't take it wrong, is the people threat. Trying to establish that human firewall is really critical for organizations. Not only having it be a part of their culture to protect that data, but also how to be consistent about the approach and things of that nature. That's really what we're seeing on our side from our consultancy practice.
(SV): And I'm happy you brought up that human element because to the point you've made, that is the most unpredictable component that you're going to have to deal with on a regular basis.
Now, artificial intelligence is a big trend across multiple services and industry. So, it is manifesting itself into cybersecurity posture and the technologies that can support it. It almost seems like every security provider is incorporating some form of artificial intelligence into their offering, which is really interesting. Each one of them kind of looks a little different and there could be some benefits to this.
How would you say it really plays into maintaining a good cyber posture and mitigating against some of the potential threats that you mentioned?
(RC): It's interesting what I've seen, even looking back at this for the past few years. I've been watching this very closely, because back in 2021, some of the big four consulting firms did some surveys with some director level executives and they said, “Well, let's take a look at what the survey says.” And at the end, it said senior executives admit to their sometimes unethical use of AI.
That statement right there, of how it cannot be necessarily regulated, is a concern at times and how that data gets manipulated and sometimes used towards someone's advantage versus all these things that come about. It's very interesting to see how that's going to mature over time. Because again, there's going to be changes there on how that data can be used and how you can actually say this is spot on information as opposed to well, maybe somebody fudged the numbers here a little bit to help themselves. We need to be careful with that.
(SV): One of the things that I commonly bring up when anybody mentions artificial intelligence as a part of their offering or service is, what is that data? Where did it come from? How does it really evolve and impact the service over time?
Because we often think or look toward those positive benefits, like providing things dynamically and having a service that can look at large sets of data, identify trends and then make adjustments to how it's supported, but I really don't think anybody ever dives deep into that data question. Is that your experience as well?
(RC): That is it, Servaas. It's interesting if you look at it from a data privacy perspective. If you look at it from that lens for a moment, and you say, “Well, how can someone take this data and validate that it's actual and validate the source?” There are times when we need to be cognizant of that. As someone that uses that information, from my side of the desk, working with many companies around the country or the world, we see the different tools, we see how these ratings are being done. Organizations are using these types of tools to rate themselves to say, what do other organizations see when they look at my security posture at my organization?
It's quite an interesting challenge of how to use that information to evaluate an organization from a security perspective if you're looking at it from, for example, third party risk. If you choose to do business with vendor A, is that rating there going to stop you from doing business with them because they rate so low? Is it because maybe they haven't been around for a long period of time and there's not a lot of information gathered as of yet?
So you have to really use your best judgment when it comes down to that because I think due diligence about your own organization and when interacting with others, a lot of decisions need to be made based on observations, your trust in that organization and evaluating their business profile in general. I think when you look at those three areas and look at those data sources as a way to maybe just see from a broader spectrum, I think it's really worth your while to know about technology because it's evolving, but also to be able to do your own due diligence as an organization to evaluate those things before decisions are made without evidence of it being true or false.
(SV): That’s a good point, not taking the marketing materials for granted. Because I see that happen time and time again when I'm brought in to support the configuration of cloud platforms or the strategy in which an organization is going to attempt to embrace these technologies. You're usually handed a bunch of collateral that talks about how awesome something is and there's really nothing actionable that's specific to the use case.
It’s funny, because while that tells a great story on what the solution can do, when we talk about bad actors and how they evolve and fine tune their tactics, it's not like they're going to be basing it off of a marketing slick with high level materials, right? They're going to be looking for exploits, they're going to potentially be taking advantage of these AI platforms if they can understand how they work.
Beyond the stuff we've covered, what else do you think organizations should really consider as they try to remain secure and resilient?
(RC): That piece is really the challenge for organizations today of how far do we take it? How do we look at the critical components within our organization and protect them the most versus maybe other areas that require less protection because maybe they don't generate that much revenue for that organization, so they leave that as a lower priority?
The reason I mention that is the biggest thing is to have a prioritized approach about how you handle these things. Look at the things that have the most impact on your business. Look at the controls that are in place, make sure the controls are appropriate for the asset you're protecting, your data, your people, your process, your technology, and then governments have certain regulations they need to align to. Financial organizations, the same.
Depending upon what industry you're in, you look at those parameters and say, “I liked this framework. Here's what I need to do.” Get yourself at a good baseline of where you stand each year. Have a third party come in and help assess or audit you. And then from that perspective, prioritize remediating the items that have the highest risk to your business, maybe proactively. We need to be able to have employee-based training to make sure security awareness is on key and on target for all the new things that are coming up against this. How do we use technology? Are we trusting the source?
They call it artificial intelligence for a reason. So when you look at that, you say, “how does that apply to me?” A judgment should be made based on actual data that you know is secure and gets validated.
And lastly, I think the most important portion of this is really your people. Educating them around that culture of information security being important, and also of compliance. When you look at these programs, and they have all these controls, educating people on what those things are, is important.
I'll tell you a quick anecdotal story that I was working with an organization going around these very things and someone came up to me and said, “I'm in accounting. I don't really need to know about all this security stuff. That's for IT and the security team to worry about.” And right then and there I took that opportunity while we were doing a cyber incident management exercise and helped that person understand that it is really important about what they do and the steps that they take. And that culture of which we're trying to embrace and elevate within the organization. While I understand it's a challenge, the better you know how to handle those things, the better you are to handle it if something were to happen and understand your roles as an individual contributor as well as someone who manages those programs and makes those decisions from an executive level.
Those decisions need to be made based on risk. So keeping your risk low and understanding your risk tolerance as an organization will help you stay on track and have a good plan. That's really what I see as what people are starting to become more passionate about, more than ever that I've observed over the past two to three years. Since coming a bit out of the COVID scenario of everyone working from home and understanding what they need to do and thinking about, I'm working in the house, but my computer is here. I'm not in an office anymore, or how do I handle these things? Are we doing the right things? What more should we do?
It's really interesting seeing how business as a whole is evolving and IT is keeping up with that over time to help people understand resilience, disaster recovery and naturally information security needs. It's a really interesting challenge for everyone. I think most folks are stepping up to it, and I think that's great for the industry as a whole.
(SV): I love how we managed to cover a really broad scope of topics given the subject matter because when it really comes down to it - and you've made some great points - it's about understanding the technology or any artificial intelligence that powers what's going to be powering you, mitigating that risk and not forgetting the people. We focus so much on technology that sometimes we forget that big element that really can create gaps and be the linchpin to maintaining a good posture and mitigating risks because we limit scope or awareness based on perceived responsibility. When you think about it, security is really the responsibility of everybody in an organization.
Taking the time to prioritize and execute based on the use case and taking time to understand the use case, so you can detach yourself from the situation, relax, look around and make calls that are going to get you to the outcome that you want, based on the risk profile you’re trying to maintain.
Rob, thanks for taking the time to be on the show today.
(RC): Servaas, my pleasure. Thank you again.
(SV): Rob Corso is the Security Consulting Solutions Principal at Sungard Availability Services.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Servaas Verbiest, and until next time, stay available.