In the “old days” before the internet became all-encompassing, “cyber” was a relatively new term. “IT security” was a major concern for organizations and individuals and was deemed to prevent the manipulation of data and systems by unauthorized third parties and applies not only to information and data, but also to physical data centers.
Before the days of the smartphones and tablets that we now rely upon, and before cloud computing became commonplace, IT security was primarily focused around a number of critical tasks:
- Asset management: Identifying and documenting the infrastructure, systems and applications in place;
- Access controls: Managing access to systems and applications and working to a principle of “least required” privilege;
- Change management: Controlling system changes to ensure that only properly tested and approved changes would be deployed;
- System maintenance: Patching systems and applications to obtain new functionality and to remove inherent vulnerabilities; and
- Backup and DR: Ensuring backups of both systems and data were available to guard against data corruption or physical loss and to enable recovery where needed.
So … what is different now?
There have been fundamental changes in the way IT is provided and consumed. The blurring of the lines between “hosted” and “on-premise” systems, the increase in “over the air” upgrades and patches, and the rapid and overwhelming move to home working during COVID have combined to exponentially increase the “weak points” that could be exploited by a malicious actor.
According to the UK’s National Cyber Security Centre (NCSC), the role of cybersecurity is “to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access—both online and at work—from theft or damage, and to prevent unauthorised access to the vast amounts of personal information we store on these devices, and online.”
The NCSC has a set of four objectives that define the activities required for good cybersecurity. While these include foundational and overarching activity, such as governance, processes and policies, they identify a number of familiar activities:
- Asset management: Determining and understanding all systems and/or services required to maintain or support essential functions;
- Identity and access control: Understanding, documenting and controlling access to networks and information systems;
- System security: Protecting critical network and information systems and technology from cyberattacks through patching and system configuration (to limit functionality);
- Resilient networks and systems: Building resilience against cyberattacks into the design, implementation, operation and management of systems through segregation, backups and physical resilience.
If we compare the “old” definition of IT security to the “new” definition of cybersecurity, we see very little fundamental difference in the nature of the activities themselves, but a much greater difference in the context in which these activities are performed.
In this view of the world, “cyber” can be seen to be simply a VECTOR—a way of attacking our systems and people through the internet, either directly (by hacking) or through compromise of our people (through social engineering).
So, in this “Cyber” Age, what do we need to do differently?
The three most significant areas where the traditional IT security model differs from the cyber view are not actually technical IT processes but relate to consideration of the potential attack vector:
- The focus on data security due to the ever-increasing collection of personal data and the instigation of data protection regimes to control this;
- The need to consider system and infrastructure design that protects internal networks from the outside world; and
- The requirement to build processes and procedures to proactively detect cybersecurity events, minimize their impact and recover in a timely manner on the basis that it is a case of WHEN such events will happen, rather than IF.
The primary difference between cybersecurity and traditional IT security can be understood to be the need to consider how our “always on” and “permanently connected” world impacts people, systems and data, and to build new processes that are robust, scalable and protect our assets.
So, how do we move forwards? Fundamentally, we need to focus on getting the basics of IT security right. To do this, we need to remember that:
- It is easy to get seduced by “cyber” as this “big new thing” that requires us to do everything differently than what came before. But actually…
- It just adds a LAYER of activity and complexity to what we already have in place. So, we need to…
- Focus on getting the IT basics right so that we can …
- Better manage this new layer and, primarily, the systems, data and people exposed.