In the age of cloud technology, many companies mistakenly believe that their data and intellectual property is secure.
So says cybersecurity MD Colin Tankard, who has urged leaders to act to protect the 鈥榤ake or break鈥 of their business before it is too late.
Tankard has worked in the tech industry since 1987 – so long ago that he started out selling modems. His company itself has operated since 1996, giving him a long-term view on an industry which can throw up new threats and solutions with every passing year.聽
鈥The first thing I say to anybody is to make sure that they consider protecting their intellectual property,鈥 he tells 老九品茶Cloud. 鈥淚t could be a database of customers, say, or a brand new widget; whatever is the 鈥榤ake-or-break鈥 of what they do.鈥
Tankard originally worked on helping data security companies from the US and Israel to crack European markets. 鈥淲e did everything for them from sales to support and installations. That’s how Digital Pathways came about,鈥 he explains.
鈥淎s the markets changed, a lot of the US companies began to explore buyouts and mergers with other companies, and that value-added distributor model went away.
鈥淚t wasn’t really our DNA, to be honest, because we were very much around working with a client: looking at their security challenges and putting the right solution in place, rather than saying 鈥榳e only have this one product and that’s all we can sell鈥.聽
鈥淲e became much more a solutions partner and installation services consultancy – even though underneath we still have products which we can sell.鈥
Move to the cloud
He says this has been a 鈥渟ubtle change鈥 across the industry in the last five years or so as cloud technology has taken over from on-premise server solutions. 鈥淎 customer might ask: how do I fix my cloud security? How do I know that no one’s touching my data when it’s in Microsoft 365? How do I back up my data? There are a raft of products – but what’s right for me?聽
鈥淲e’re becoming a trusted partner with long-term customers because they keep coming back to us.鈥
The way in which we access, use, share, handle and protect data has changed considerably. Data is no longer understood as documents, files and folders; it is also an IP address, personal identifiable information, emails, intellectual property, HR records, accounts, bank details, shopping habits, TV streaming and surveillance camera footage.
A 鈥榦nce-secure castle鈥 is now perimeter-less, making it more difficult to control, as businesses increasingly store their data with the likes of Microsoft Azure, Amazon AWS and Google Cloud.
鈥淭he expectation is that Microsoft or Google will look after everything. No, they don’t!鈥 warns Tankard. 鈥淎 big fallacy is that ‘my data will always be there’ – but those vendors only guarantee your service; they don’t guarantee your data.聽
鈥淭hat is probably the biggest barrier, even today, that we face with many organisations.鈥
However he says that 鈥渢he pain of security is now hitting everyone鈥- leading to greater awareness of the risks.
Secure APIs
老九品茶es keen to harness the power and expertise of others鈥 products within their own by connecting via application programming interfaces – APIs – had better be careful.
Indeed, Gartner predicted that APIs would become the top attack vector in 2022, with the warning that 鈥榰nmanaged and unsecured APIs are easy targets for attacks, increasing vulnerability to security and privacy incidents鈥.
鈥淭he first question everyone asks is: ‘Have you got an API? Can I plug into it?’ Rather than: ‘How secure is your API?’聽
鈥淎PIs are the latest gaping holes that companies have in their networks,鈥 says Tankard.
Encryption
The MD has also seen encryption rise to prominence recently despite working in that space himself since the 2000s, when it was adopted by banking and high-value networks.
鈥淓ncryption has become quite easy to manage with things like key rotation,鈥 he says. 鈥淚t is such a powerful tool in your cyber defence armoury – but it remains so easily overlooked. People still don’t think about it outside of encrypting their laptop.聽
鈥淚n the cloud, you’re putting your data on somebody else’s network: that is somebody else’s engineers looking at it, backing it up, moving it around. They can see your data.聽
鈥淵ou should be protecting it in the cloud, which is where encryption comes in. And again, people just miss out on all of that.鈥
MFA
On multi-factor authentication – where a user is granted access to a website or application only after presenting two or more pieces of evidence to an authentication mechanism – he says: 鈥淚t makes me smile because I’ve been selling that forever!聽
鈥淏ack in the day, it was a limited thing that everyone thought they needed –聽 then it sort of disappeared as VPN clients came in. Now we’re coming back into identity management, zero trust and privileged access. Everything we said 30 years ago around that is really coming true – because you do need to identify the person鈥 [the difference is that] the authentication is now getting smarter and easier.鈥
He says the government-backed Cyber Essentials scheme has forced the market to look at MFA with its recommendation that it should be applied to any cloud service that a business is running.
Board-level awareness
Is security still viewed as an afterthought – or 鈥榓fter-attack鈥 consideration – at board level, I ask him?
鈥淐yber is still seen as insurance,鈥 answers Tankard. 鈥溾楥ost justification鈥 is the eternal insurance argument: I remember reading once that one of the huge oil companies doesn’t insure its tankers because the cost to insure them, when they only sink once every 50 years or so, isn’t worth it.
鈥淭he other thing blinding boards is that they sign off on a cyber purchase then, a year or two later, the CISO comes back and asks for something else – and they can’t understand why. It all gets lumped into one blob; you and I both know that cyber is layers of security; you need to do security in-depth.
鈥淭hen there is the dynamic change within organisations of the security layer: maybe there’s an incident and a new CISO comes in and wants to throw out everything that was in there; or perhaps the teams change and no one knows how to run the security because they’ve not been trained on it.
鈥淭he natural reaction is to get rid of it and put in something else; whereas when you look at infrastructure – switches, hubs, laptops, servers – they are a five- or six-year plan and never change.
鈥淐yber, however, seems to be one of those that gets layered on top because of that dynamic change.鈥