Business white paper

Security in the digital ageStaying safe in a rapidly converging physical and virtual world

Table of contents2 Introduction

2 Classic security

2 Modern security

3 Weak points

5 Recommendations

8 Conclusion

8 About the authors

Introduction

The proliferation of intelligent devices is providing ever-increasing entry points for those looking to exploit the assets of both citizens and government organizations. Increasingly the physical and virtual worlds are converging, so an integrated response, compliant with local privacy laws, is required.

This paper highlights how the security battlefield is changing and identifies how the challenge in remaining secure has grown exponentially.

Most importantly, it provides recommendations as to the actions you can take as a leader to ensure your organization is prepared both pre and, increasingly, post attack.

Classic security

It wasn’t so long ago that security was a matter for the security specialists, e.g., military, emergency services, and private sector security players. The threats could be easily identified by the fact that they looked different to the “good guys,” and they typically had to pass through physical perimeter to conduct their malicious activity. Thus, vulnerabilities tended to be located on the physical periphery of the building under attack. This was relatively easy to monitor, and attacks were usually obvious.

In the bygone era, security tended to have a castle feel to it. Moats, high walls, strong doors, and boundary patrols were key elements.

Modern security

But the world has moved on. Increased mobility, coupled with the proliferation of smart devices and sensors, has had the effect of blurring the boundary. Today every device, from a printer to a phone to a car, is an access point.

Attacks are typically concealed. The enemy may enter your organization via your supply chain, via a socially off-guard employee, or through poor policy. What is more, increasingly the threat can operate unhindered for months, if not years, before the breach is identified.

The arrival of the Internet of Things (IoT) adds a whole new dimension to the challenge, as does the unregulated usage of recording devices, including those mounted on drones.

Unfortunately, the hacker community is highly collaborative and organized. Those that compromise your organization’s infrastructure may have no interest in their plunder. However, they know exactly who has and will monetize their efforts via “internal” markets accordingly.

Business white paper Page 2

We are also witnessing the emergence of a generation of people who have no problem sharing their most intimate of details. They do not always make the connection between being burgled whilst on holiday, and the fact that they promoted their forthcoming holiday on their social networks with the vigor of a new entrant marketer. Fortunately, to varying extents, those in charge recognize the importance of privacy. However, privacy’s gain is often security’s loss. The recent FBI and Apple iPhone® saga highlights this.

It is clear that your organization cannot rely on a castle-based model, given the threats can emerge from a bewildering array of entry points. Thus, a model more akin to a hotel has to be considered. One has to operate knowing that people, with good and bad intent, are passing through your environment on a continual basis. Given the porousness of your infrastructure, it is perhaps better to start from a position that you have already been compromised. In the digital economy, threat detection trumps threat prevention.

Weak points

As we have seen, building and maintaining a robust security framework is challenging in the digital age. Other challenges include:

Weak authentication policy: A poor security culture invariably leads to a lackadaisical approach to good practice. Passwords of the form “password123” or passwords that could be retrieved by knowing just a couple of personal facts, e.g., names of children, pets, or favorite football team, and make life very easy for attackers. As do “passwords for life” and devices with no “timeout” enforcement.

Lack of leadership in both war and peacetime: Some organizations fail to understand that security is not a departmental issue, but one that concerns everybody, including the leadership. During “peacetime,” nobody in the leadership team is governing the security model (usually “abdicated to the IT function”). During times of war, there needs to be a command system to ensure that the threat is dealt with as a priority, with no delays in the allocation of the necessary resources.

Business white paper Page 3

The enemy has a sophisticated collaborative ecosystem: This has already been mentioned. The openness of the “dark side” has cultivated an ecosystem that enables the acquisition of a small piece of intelligence by an adolescent hacker to be used as the spearhead of a state sponsored assault.

Humans are too social and trusting: It is in our nature to be trusting, particularly where the threat has been kind to us (creating the pressure of reciprocity), or simply charms us into revealing more than is wise.

Poor software release and patch management: The vendor community has no interest in their offerings being perceived as insecure; however, some will be faster than others in responding to new threats. But this is of little value if your organization does not install the associated updates and patches. Just because the users perceive no functional benefit in the latest upgrades, it is not reason enough to take no action.

Compromised software: Some hackers cleverly find their way into the organization via the development tools used to build the software used by your people. Thus, the vendor has inadvertently played an active role in compromising your organization. Such zero-day attacks are a serious concern because the attacker is likely to have already exploited the vulnerability before it is discovered.

A shortage of battle-hardened infosecurity experts: The exponential growth in the demand for security experts is not being met with a similar growth in expertise. Even if the education system were retuned accordingly, it would still take a number of years before the graduates gained the real-world experience to be effective security professionals. This is a problem that is set to become more acute.

IoT: Every device from heart pacemaker to car is a potential entry point or target for hackers. The thought that your driverless car can be commandeered by anyone from bored kids to foreign security agencies is unsettling. The growth in wearable devices, for example fitness wristbands, also adds a new dimension to the security challenge.

Privacy: As mentioned, in addressing increasingly cunning attacks, it would make life easier for authorities to waive the right to privacy. A balance has to be achieved to avoid the consequences of a post-privacy society. The extent to which each government adheres to this will depend on local legislation.

Business white paper Page 4

Your supply chain: As mentioned, your supply chain, or even your users or citizens, is potential entry point for attackers. But the increasing volatility of the market means that supplier relationships and partnerships will form and dissolve at a greater rate. Your increasingly tactical relationships have the potential to be the source of great financial or reputational loss.

Your staff: Your staff, through a casual approach to security, might well be the source of vulnerability. Weak passwords, not closing secure cabinets, and revealing sensitive information in an unsecure environment, are all ways of inadvertently causing damage. Some staff may have been planted to exploit your organization from the inside, and are happy to do so. Others may be under pressure to exploit your organization, despite their otherwise good character, because they are being pressured by a malevolent third party.

Other governments: Such a third party might well be another government. If it is cheaper to acquire intellectual property through theft than through costly research and development efforts, then it makes economic sense to proceed in that fashion. This is only if the state concerned has a set of values that support such behavior. State sponsored acts are a concern, not least because of the resources they can draw upon to achieve their goals.

Recommendations

There is a lot to consider when planning and implementing a secure environment. Here are some steps you can take to strengthen your defenses:

•Appoint a chief security officer (CSO) who in the event of an attack has permission to take control of the organization until the threat is eliminated. Keep in mind that whilst many aspects of modern day security are IT related, the responsibility of the CSO needs to extend across all aspects of your organization’s defenses.

•Run scenario exercises to ensure everyone in the organization understands their role in the event of a detection. Well-rehearsed procedures will dampen the impact of a breach.

Business white paper Page 5

•Audit all actors and assets in your organization and supply chain in respect of their trustworthiness and “infosecurity robustness,” and engage with them accordingly. In fact, it would be wise to make these primary criteria in choosing suppliers, staff, and even customers.

•Utilize real-time sensors to discourage threats. Their visibility can serve as a deterrent. Their functionality provides context and evidence for the purposes of prosecution.

•Develop a security policy and architecture that has a compartmentalizing impact on the degree to which a threat can propagate around the organization. Again, think hotel rather than castle model. Even though anybody can enter the lobby, only certain people can enter the rooms or cupboards.

•Understand the intentions of your HR function, and agree how you address the associated threat possibilities. The emergence of personally owned devices, including wearables, need to be factored in to your security policy. Some of these wearables may be driven by your HR function, in respect of talent engagement.

•Ensure all staff understand their role in respect of maintaining a secure environment. Create a culture where your people are both careful and vigilant.

•Ensure your public relation function is briefed on how and when they disclose breaches. Timing is everything. Too early and you might cause the attackers to bring their plans forward. Too late and you may be accused of negligent behavior.

•Build your security team with genuinely experienced staff, who understand technology, policy, the mindset of the attackers and human nature. Experienced security specialists can make a lot more money in the private sector. You might consider keeping a small highly capable in-house team whose primary role is to coordinate the activities and relationships with specialist providers. Certain activities, such as setting up secure processes, monitoring your environment, and being first on the scene when a threat is detected, might best be done by those who have the appropriate economies of scale. Such organizations regard security management as their core business.

•Automate intelligence gathering by using the public or open source intelligence. Also, integrate in the relevant classified sources. This frees up our people so they can focus on higher value analysis work, rather than labor-intensive data gathering.

Business white paper Page 6

•Embrace video analysis tools. Such tools can identify irregular behavior in real time and alert the appropriate authorities. They can also be used to gather evidence, particularly where lengthy video content needs to be analyzed. This speeds up evidence gathering, reduces the associated cost, and again, frees-up your people to focus on higher value activities. The associated surveillance technology can be deployed at high-risk locations such as airports, railway stations, and shopping malls. Regulated zones such as the public highway can also be monitored for both security and safety purposes.

•Reduce staff and citizen inconvenience by using biometric security such as facial or voice recognition. Citizens thus enjoy an improved experience. You save on costly labor, which when overworked can be prone to potentially devastating mistakes.

•Assume you have already been compromised and so maintain a threat detection posture at all times.

•“Deep audit” your processes by engaging specialists to penetrate your defenses and subsequently advise on how to rectify the detected vulnerabilities.

•Ensure your critical security systems are integrated to provide a holistic view of your environment and the associated threats. The data needed to trigger critical alerts may well lie within your systems, but will only if all your systems act as one.

•Keep on top of the latest attack developments, such as product vulnerabilities and social attacks. Only when staff are aware of, for example, spear phishing, will they be more guarded when clicking on links within personalized and seemingly harmless messages.

•Enter into a public-private partnership with security specialists to keep abreast of the latest developments in counter attack technologies.

Business white paper Page 7

Rate this document

Sign up for updates

Conclusion

The vulnerability points in the organizational infrastructure are increasing rapidly with the growth of intelligent device usage in society. Users, citizens, suppliers, and partners all represent potential entry points for malevolent behavior. Security impacts everyone, and therefore should not be shoehorned or abdicated into the remit of the IT function. Ultimately, information security, from both a virtual and physical perspective, is a leadership issue. Thus, the 21st century public sector leaders need to regard it as a fiduciary duty to both understand the issues and deploy the appropriate resources to protect those that rely on your services.

About the authors

Pierre MirlessePierre Mirlesse leads HPE Mobility business in the EMEA region. Mirlesse joined HP (now known as Hewlett Packard Enterprise) over 20 years ago, advising industries and government organizations in their digital experience transformation. He has held a number of executive positions around the globe including Middle East-Africa VP, Worldwide SMB VP based in Palo Alto, Asia-Pacific VP for HP Managed Print Services, and distribution director in Middle East, Africa, and Eastern Europe.

Pierre is a recognized industry keynote speaker. He now lives in the UK with his family. Find out more about Pierre on LinkedIn: ch.linkedin.com/in/pierremirlesse

Ade McCormackAde McCormack is a near futurist, digital strategist, keynote speaker, and author. He is a columnist with CIO magazine, and a former columnist with the Financial Times, focusing on digital leadership. His experience extends over three decades and almost 30 countries across many sectors. He has written a number of books, including one on the future of work (Beyond Nine to Five—Your career guide to the digital age). He has also lectured at MIT Sloan School of Management on digital leadership. For more information on Ade, visit ademccormack.com.

Learn more athpe.com/us/en/solutions/security.html

© Copyright 2016 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

iPhone is a trademark of Apple Computer, Inc. registered in the U.S. and other countries.

4AA6-4685ENW, March 2016

Business white paper