News broke yesterday that the captain’s of critical UK industries have been warned by the government that they need to be ready for a serious cyber-incident. Sector-specific regulators are being designated in order to ensure that essential services are protected, and to impose steep fines of up to £17 million for non-compliance. Terry Ray, CTO at Imperva commented below.
Terry Ray, CTO at Imperva:
“Security in infrastructure services in most countries is not generally excellent. Typically their primary fears are state sponsored attacks which aren’t overly common on services like water, sanitation, or even energy, transportation and others. There are good examples of attacks outside the UK on nuclear reactors, oil pipelines and other systems for various reasons.
Enhanced security around infrastructure is a good move. Many of these services have personal data on just about every household and/or citizen in the country. If you have an electric service, registered vehicle, drivers permit, health Id, etc. you’re data is readily stored within these services. Some of these services may have regulations requiring data protection some may not, regardless of such, industry specific regulations, here the Government is saying, security could be better, and it better be.
The shortest path to better security is watching the activity on all systems. Today, it’s likely that most of these service departments monitor some of the activity in their networks and data repositories. The first step after making a general current assessment should be to increase visibility. Very few organizations have the visibility they need to detect and prevent a breach throughout their environment. Watching the what’s going on is the first step to knowing what’s going on.
Governments are massive and as such have massive complicated networks storing vast amounts of data on just about every topic. Yet they watch access to very, very little of the data. If they want to protect information they need to watch the information/data. This has been a lingering problem in both public and private sector organizations and will continue to be until cybersecurity professionals place the importance of data as high or higher than they that of the network itself.
As long as there are foreign nations attacks by them will likely continue. Obviously some more malicious than others. Attacks will come, what is important is detection and mitigation of the attack. The gap, is detection. Most organizations don’t know they’ve been attacked until days, months or even years after the breach. Why? Yes I harp on this only because it’s true. They weren’t watching the data. Yes organizations watch their networks and users, but networks don’t get stolen, this isn’t what’s being talked about here and almost all data stolen is stolen from an authorized user account so watching for failed users or fake users is useless. Watching what attackers are after is how both cyber security and physical security works. Want to protect gold. Lock it up, hire security guards and put cameras on it. Want to know what’s going on on a street? CCTV. Watching begins the process of detection.”