Abigail: Welcome to the second series of our podcast, The new realities of cyber security. I’m your host, Abigail Wilson. Each episode of this podcast series, we’ll be inviting along some of our colleagues who are each experts in their fields to discuss what they do here and what they’re focusing on at the moment in the ever changing world of cyber security. In today’s episode, we’re talking about the basics of cyber security and discussing the challenges organisations face in getting these right. Our guests today are Laura Duncan, a director in our private sector advisory practice, and Dr Richard Horne, a partner from our cyber security practice. Thanks for joining us Laura and Richard.
Richard: Pleasure. Good to be here.
Laura: Good to be here.
Abigail: That’s great. Can you introduce yourselves to everyone?
Laura: Sure. So, I’m Laura Duncan and I have been working with PwC for about ten years now. I mainly focus on the retail and consumer industry and right now I’m helping a lot of clients try and get their basics right, working a lot in the identity and access management space.
Richard: I’m Richard. I joined PwC five years ago to build a cyber security practice here and we help clients across all parts of the economy in the UK and way beyond. I help clients when they’ve been breached and help them respond to that and also a lot of work helping clients understand what they need to do and what their strategy needs to be for cyber security. And prior to PwC, I’ve been around cyber security for a global bank for many years and also spent a year seconded from there into government to help shape the national plan for cyber security.
Abigail: Great. Thanks guys. Richard, you’ve recently published a white paper which is titled ‘Know the game, not just the rules: the changing face of cyber security’. This outlines research you’ve been doing on the key cyber security challenges which need to be faced, one of which is called ‘fixing the hard basics’. Could you tell us more about this?
Richard: Yeah, sure. So, it’s one thing that many people say, and it’s true, that almost all cyber attacks end up exploiting some basic things that could have been sorted and could have stopped the attacks. Those basic things could be access rights that meant the attackers were able to get in very easily to systems they wanted to get to with the right level of authority to do the things they wanted to do. It could be systems that had vulnerabilities that were known about five years ago and should have been patched and they weren’t patched. Or it could be computers all being connected together on one single network and the attacker being able to just hop their way around the organisation very easily. All those kind of things, people often refer to as the basics and there’s a phrase people often use, you just need to fix the basics. Well, actually that ‘just’ is wrong because it’s really hard. If you’ve got a big global enterprise like a big bank or any big organisation and maybe you’ve formed over many years, you’ve got acquired organisations in there and things like that, you’re going to have outer support IT, you’re going to have all sorts of issues all over the place and fixing the basics is really hard. So, it’s a bit of a misleading statement to say you’ve just got to fix the basics, ‘cause actually the core of cyber security is that hard question of how do you fix the basics?
Abigail: That’s a great point and it’s great that your paper acknowledges that. As a consultant, I often talk about security in an almost aspirational way with a list of endless security defences that we recommend our clients focus on. As your white paper gets to the very detail of what these fundamental basics are, what they look like and why they’re so important, it’s also good it acknowledges why they’re challenging. Laura, I’m wondering does this mirror what you’ve been seeing when working with clients recently? Have you found that they still haven’t been able to fix these hard basics?
Laura: Definitely. Most of the clients I go… look, cyber security is this cool new hot topic that’s actually been around for quite some time but they think that there’s some sort of sexy tool that they need to buy or something that they need to invest in or something massive that they’re missing or that their staff just don’t know about. And I hate to break it to them but I don’t really have the sexy solution to give them. It’s really about going back to the basics, going back to good housekeeping type activities, that make for a clean ship. Make sure that your organisation is operating in a way that can be managed, making sure your IT infrastructure is kept up to date. You know, things you would do in your house. You wouldn’t let your plumbing go out if there was some pipes burst and what not and it’s the same in an organisation. You need to keep that infrastructure sorted. You need to clean your carpets, wash the floors, you need to make sure that you keep a clean environment and a lot of that is just doing some basic housekeeping.
Abigail: It sounds like a mindset and that’s another point that you mention in the white paper which is organisations need to shift away from viewing security as just another compliance function, another check box, but core to their operations in order to keep the data that matters to them secure. I’m wondering if you can talk more about this kind of area, about ultimately what can organisations do to approach and succeed in meeting this challenge?
Richard: Yeah, and I think you’re right. There’s a real cultural element to it. In many organisations it’s very easy to explain how you need to put some work into developing something new in the market or doing something new for customers or something that’s going to move the company forward. But trying to explain that you need to justify some investment or a whole load of effort in ‘cleaning’, essentially it doesn’t go down well. It’s a hard argument to make. But actually many organisations we see, there’s outer support IT, there’s access rights that shouldn’t be there, there’s all sorts of things like that, the systems that should have been decommissioned, there’s data lying around that shouldn’t be lying around. These are all things that take time and effort to sort out. But for an attacker, they’re very easy to find. You’ve just got to find a scan, to run a scan and you’ll find systems that aren’t patched, you’ll find data that’s lying around, you’ll find access rights that shouldn’t be there and those kind of things are very easy for an attacker to find. And so they really do need focus.
Laura: Yeah, and I think as well it’s not because companies aren’t trying. It’s just that they’re moving at a really rapid pace and trying to stay relevant. The reason you get out of sorts is because maybe you’re acquiring a lot of organisations in order to grow or the massive disruption for me in the retail market has been going online instead of having a brick and mortar and that completely transforms a business. Yet that transition takes more than just a couple of years and so you’re left in this limbo while you’re transferring and transforming into a new type of organisation. And I think, like I said, it’s not for a lack of trying. I don’t want people to think that companies and organisations are just being lazy. It’s just really hard. Like Richard said, it’s basics but it’s hard to keep those basics in tact and so you really have to think through how you can address those.
Abigail: Definitely. And especially in the retail sector as they’re now operating online, that’s operating in a completely different threat environment to the way that they used to.
Laura: Yeah, exactly.
Richard: And I think as well it’s easy to think of this as boring stuff, but actually there’s loads of innovation and loads of new ways of running IT that can really help with this and are really interesting and really quite exciting and can bring cost benefits as well. So, many organisations are starting to look at how they can structure their IT infrastructure as they use more and more cloud services, how they can set up their IT infrastructure so they have what’s called a cloud-first approach so that you turn your laptop on and it connects straight out to the cloud and then you can put all sorts of controls in the cloud that are hard to put in your data centres and then you can start to segment your network and things like that which again is really hard to do if you’re just looking at your network. But if you’re looking at the cloud-first, you can do things differently and there’s some really exciting technologies and exciting ways of working out there that can make fixing some of the hard basics actually easier and even save money at the same time.
Laura: Yeah, I think another example might be around access, so every organisation I go into, not just retail and consumer, every single one has a problem with access. It is really hard and it’s not just giving people access, it’s applications talking to one another, it’s now with robotics and RPA moving in too, Robotics Process Automation. This is all creating access rights and what not for people and products and you’ve got to navigate around that. It is really difficult but there are some things that are quite innovative in that space that I think are helping organisations. I know one thing that we’ve been doing is working with our actuaries to try and better quantify the risk, look at the behaviours of users and applications and monitor only those things that seem like outliers instead of monitoring everything that everybody does in all of your systems because that would take forever. We also look to things like single sign-on which makes it easier for a user to login to the various applications they have to use in a day, but it’s also a really good security measure as well. So you do get some benefits from some of the new products and services that are out there these days.
Abigail: Yeah. I think single sign-on is a great example of that because it’s something that is both an enabler for an organisation to access all their services so easily so it streamlines those operations, for example, making cost cutting measures but it also gives you control over IT estate and what applications are being used by lots of different employees, maybe even globally. So, it also has those key security benefits, making it easier to pitch for investment to use these type of tools. I’m wondering if an area we briefly touched upon which is security monitoring, that’s another hard basic that you talk about in your report, Richard. I think that’s another one where it’s optimising what you already have in place and having that different mindset, for example looking towards knowing what your risks are and what anomaly detection looks like for you as a business. I’m wondering if you’ve worked on clients in this particular area and helped them get to that stage?
Richard: Yeah, and I think this is a great example where you can use some innovative technology that’s come into the market to do things in very different ways. So, we’re starting to see examples of technology that authenticates users by the way they type. So, then authentication becomes completely transparent and it’s both helpful for the organisation in terms of the experience of people in that organisation but also giving you improved security. And this all comes down to more and more a concept of security as knowing what normal is and so you’re more able to detect outliers and focus in your efforts on things that are not normal behaviour. A lot of the security monitoring techniques that we’re seeing leading organisations use are very much focused on that, understanding what normal is and being able to look for those outliers and really focus in on them.
Laura: And that makes something really fun and sexy, right? That’s so cool to think about versus just some boring kind of, I don’t know, recertifying someone’s access that’s been with the company like me for ten years and of course yes she still needs this, to actually look at these behavioural analytics and what not, I think it’s just really fun.
Abigail: I think innovation is certainly helping fixing the hard basics because it changes the mindset that they’re not just these boring housekeeping issues, they’re part of your technology transformation programmes, as an example.
Richard: Yeah, that’s right. I think for many organisations though it does start from really understanding how out of kilter your basics are, so for many organisations the starting point is really understanding who has access to what and realising just how out of control that is. It comes down to getting a proper baseline of the patching status of all your systems and understanding just how if you haven’t focused on controlling it then how out of control that will be. It comes down to understanding exactly how your network hangs together and how any machine can attack any other machine. We’ve talked with some organisations around your vending machine could end up taking out your bank’s payment systems because they’re just totally connected. So, when you start to use language like that, people can start to understand the importance of fixing the basics.
Abigail: Great. Awesome guys. Thanks for joining us today. It’s been so great having you. I’m wondering if you have any final thoughts about looking to the future in this area? Do you think it will get easier for clients to solve these problems? Do you see anything related to the work you’re doing with your current clients? Does it look quite positive?
Richard: Yes. I think it does. I think the more we use cloud services the more we can essentially outsource some of those basics to suppliers whose job it is to keep focused on them and that can be really helpful. So, yeah, I think fixing the basics isn’t easy, it is hard, but it is important.
Laura: Yeah, and I think Richard and I were talking about earlier, once you know what state you’re in, once you’ve done that initial assessment, the next step is to just start. Everything is insurmountable until you start it and so therefore I think, like Richard said, there’s a lot of innovation going on to make starting easier for people and to better integrate that into your normal processes every day. So, just don’t be afraid to start and try and make things better.
Abigail: That’s great. It sounds like everyone’s approaching the right area in the right way. Thanks again for joining us today. It’s been really great having you. If you’d like to read Richard’s white paper ‘Know the game, not just the rules: the changing face of cyber security’ you can find a copy on our main website at pwc.co.uk/knowthegame. Remember to also subscribe to our series so you don’t miss out on our future episodes and if you have any questions about what we do here in cyber security please reach out to our guests on LinkedIn or send me a message on Twitter @securityswan. In our next episode, we’ll be chatting with members of our threat intelligence team to find out what activity they’ve been focusing on recently and also what they’re anticipating in the future threat landscape.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680