In the age of cloud technology, many companies mistakenly believe that their data and intellectual property is secure.
So says cybersecurity MD Colin Tankard, who has urged leaders to act to protect the ‘make or break’ of their business before it is too late.
Tankard has worked in the tech industry since 1987 – so long ago that he started out selling modems. His company Digital Pathways itself has operated since 1996, giving him a long-term view on an industry which can throw up new threats and solutions with every passing year.
“The first thing I say to anybody is to make sure that they consider protecting their intellectual property,” he tells BusinessCloud. “It could be a database of customers, say, or a brand new widget; whatever is the ‘make-or-break’ of what they do.”
Tankard originally worked on helping data security companies from the US and Israel to crack European markets. “We did everything for them from sales to support and installations. That’s how Digital Pathways came about,” he explains.
“As the markets changed, a lot of the US companies began to explore buyouts and mergers with other companies, and that value-added distributor model went away.
“It wasn’t really our DNA, to be honest, because we were very much around working with a client: looking at their security challenges and putting the right solution in place, rather than saying ‘we only have this one product and that’s all we can sell’.
“We became much more a solutions partner and installation services consultancy – even though underneath we still have products which we can sell.”
Move to the cloud
He says this has been a “subtle change” across the industry in the last five years or so as cloud technology has taken over from on-premise server solutions. “A customer might ask: how do I fix my cloud security? How do I know that no one’s touching my data when it’s in Microsoft 365? How do I back up my data? There are a raft of products – but what’s right for me?
“We’re becoming a trusted partner with long-term customers because they keep coming back to us.”
The way in which we access, use, share, handle and protect data has changed considerably. Data is no longer understood as documents, files and folders; it is also an IP address, personal identifiable information, emails, intellectual property, HR records, accounts, bank details, shopping habits, TV streaming and surveillance camera footage.
A ‘once-secure castle’ is now perimeter-less, making it more difficult to control, as businesses increasingly store their data with the likes of Microsoft Azure, Amazon AWS and Google Cloud.
“The expectation is that Microsoft or Google will look after everything. No, they don’t!” warns Tankard. “A big fallacy is that ‘my data will always be there’ – but those vendors only guarantee your service; they don’t guarantee your data.
“That is probably the biggest barrier, even today, that we face with many organisations.”
However he says that “the pain of security is now hitting everyone”- leading to greater awareness of the risks.
Secure APIs
Businesses keen to harness the power and expertise of others’ products within their own by connecting via application programming interfaces – APIs – had better be careful.
Indeed, Gartner predicted that APIs would become the top attack vector in 2022, with the warning that ‘unmanaged and unsecured APIs are easy targets for attacks, increasing vulnerability to security and privacy incidents’.
“The first question everyone asks is: ‘Have you got an API? Can I plug into it?’ Rather than: ‘How secure is your API?’
“APIs are the latest gaping holes that companies have in their networks,” says Tankard.
Encryption
The MD has also seen encryption rise to prominence recently despite working in that space himself since the 2000s, when it was adopted by banking and high-value networks.
“Encryption has become quite easy to manage with things like key rotation,” he says. “It is such a powerful tool in your cyber defence armoury – but it remains so easily overlooked. People still don’t think about it outside of encrypting their laptop.
“In the cloud, you’re putting your data on somebody else’s network: that is somebody else’s engineers looking at it, backing it up, moving it around. They can see your data.
“You should be protecting it in the cloud, which is where encryption comes in. And again, people just miss out on all of that.”
MFA
On multi-factor authentication – where a user is granted access to a website or application only after presenting two or more pieces of evidence to an authentication mechanism – he says: “It makes me smile because I’ve been selling that forever!
“Back in the day, it was a limited thing that everyone thought they needed – then it sort of disappeared as VPN clients came in. Now we’re coming back into identity management, zero trust and privileged access. Everything we said 30 years ago around that is really coming true – because you do need to identify the person… [the difference is that] the authentication is now getting smarter and easier.”
He says the government-backed Cyber Essentials scheme has forced the market to look at MFA with its recommendation that it should be applied to any cloud service that a business is running.
Board-level awareness
Is security still viewed as an afterthought – or ‘after-attack’ consideration – at board level, I ask him?
“Cyber is still seen as insurance,” answers Tankard. “‘Cost justification’ is the eternal insurance argument: I remember reading once that one of the huge oil companies doesn’t insure its tankers because the cost to insure them, when they only sink once every 50 years or so, isn’t worth it.
“The other thing blinding boards is that they sign off on a cyber purchase then, a year or two later, the CISO comes back and asks for something else – and they can’t understand why. It all gets lumped into one blob; you and I both know that cyber is layers of security; you need to do security in-depth.
“Then there is the dynamic change within organisations of the security layer: maybe there’s an incident and a new CISO comes in and wants to throw out everything that was in there; or perhaps the teams change and no one knows how to run the security because they’ve not been trained on it.
“The natural reaction is to get rid of it and put in something else; whereas when you look at infrastructure – switches, hubs, laptops, servers – they are a five- or six-year plan and never change.
“Cyber, however, seems to be one of those that gets layered on top because of that dynamic change.”