Is Australia a Hacker’s Paradise?
A discussion with Rotem Salomonovitch,
Chief Technical Officer, Netlinkz
Rotem, Australia seems to be a hacker’s paradise. Everyday there seems to be another cyber breach. Is it endemic corporate weakness, or are hackers just getting better? In my own family circle we have had three ransom attacks as well as funds diverted to bank accounts. And that’s not counting all the dodgy phone calls. It’s all pretty shocking.
Rotem: Yes – it is pretty shocking but somewhat understandable. Data is valuable – it’s a desirable currency which clearly can be monetised. Recent events have demonstrated that data-theft is a very lucrative business. The dodgy calls or the ransom attacks you mention – how did they get your number or email – it all sourced form potentially compromised data sources. So many or most databases responsible for housing data are also vulnerable. Are hackers getting better? Absolutely. Are hackers becoming more sophisticated – sure! The question is: Are Australian businesses – which are trusted custodians of our data – keeping up or are they falling behind? Recent security breaches unfortunately tend to indicate the latter.
Before we get into cybersecurity and how businesses are responding, tell me a little about yourself. You have had a lot of experience in the US. I’ve heard that you are called “the father of software defined networks”.
Rotem: Not the father. Maybe “one of the fathers” – but to your point, yes, I have diverse experience both in Australia and globally. I’ve worked with start-ups and big corporations in several roles in the security and networking space.
What do you think of the how Australian businesses are approaching cybersecurity?
Rotem: Well – it depends on the business and sector of operations. Broadly speaking, as I compare Australia and the US for example, in security terms, there are some standout differences. American businesses seem to think of security as an integral function of core business functions. It’s the same with international companies like BHP and Rio. In comparison, local Australian businesses are not as sophisticated when it comes to cyber matters. Maybe because they haven’t been as exposed to as many threats or have been dealing with cybersecurity for a shorter period of time.
In Australia, very often we see cyber security being thought of as more of an add-on, especially in some sectors like retail. They have been doing things one way for quite a while so security is grafted on rather than an integral part of the business. It’s an extra cost, so some businesses try to defer the spend or selectively implementing security measures in a patch like manner in a response to a cyber event. This approach, although does have value, is reactive and does not provide the necessary protection every business must employ. It’s no good putting seven padlocks on the front door and then leaving the side door open. But things are changing. Business leaders are of course realising the extent of the risk, and we are seeing things change which is pleasing.
To be fair, the cybersecurity landscape is also rapidly changing. And it’s a challenge for many businesses to keep up. But they must! One way for business leaders to keep up is to get educated about cybersecurity. What do I mean? For example, consider how communication infrastructure has changed. The way we exchange data has shifted from private infrastructure to the public Internet. When you think about it, we have essentially taken our data and made it accessible to hackers. This shift alone has significant impact on security practices and how business need to think about data in transit. Many leaders simply may not be aware or don’t understand the impact of this change and therefore are not responding or preparing their organisations adequately. Businesses must employ a security-first operational model going forward.
It’s surprising that there hasn’t been more pressure on companies from the insurers.
Rotem: If you are referring to insurance against data theft, there are a few things to consider here. Many insurers still operate on a trust model. The insurers ask various questions, and they expect honest answers. As an industry there is not enough validation. The industry needs to adopt a trust-but-verify model. There is too much room for abuse which leads to breaches. There’s not much point in asking whether a company has the necessary controls in place if the company isn’t aware of existing flaws in their procedures and systems. They can tick all the boxes in all sincerity, but that does not mean they are correctly implemented. Do their defences actually protect data? No doubt Medibank and Optus felt they were doing things correctly, but nearly four million pieces of data stolen is …quite a lot.
A good example of the trust but verify model is the evolution of vehicle insurance in the US. Insurers use data to measure actual real-time behaviour of motorists. A special dongle is installed in the insured vehicle to report driver behaviour. Are they driving too fast? cutting corner? or stopping abruptly? The risk is continuously assessed and quantified. This is the way it needs to be with cyber security. I think insurers will increasingly employ real-time measures to assess corporate behaviour and systems. Realtime validation of system integrity is critical to determine cybersecurity posture and to evaluate if defences are effective. Those businesses that pass will be considered low risk and will have their premiums adjusted accordingly – even month-to-month. Those that do not, will be asked to improve.
Saying that, protection of data is only one part of the solution. The best way to protect against data-breaches is not to have the data in the first place. Industry regulations need to evolve to ensure that businesses minimise the data they retain. That sounds obvious, but better data retention regulations will help in this area. I mean – you can’t steal what doesn’t exist. Right?!
So, what role do you think the VSN plays? Signals Directorate says the rate is one hack every seven minutes. When it happened to me, I was so discombobulated I didn’t think of reporting it so it may be far worse than as reported.
Rotem: Yes, under-reporting I think is very likely. As to the impact, I’d say that Netlinkz VSN is critical to helping businesses minimise data theft and as you mention, the rate of cyber-attacks. Netlinkz Virtual Secure Network or VSN helps business secures data in transit. It protects communications between all and every kind of Internet connected device. You can think of VSN as private invisible network that protects your data as it is sent between your devices, users, and applications.
VSN also deals with mobility. Why is that important? Well, devices, users, and applications used to be hosted in fixed locations. That is no longer the case. The world is becoming more and more mobile. This means that data is no longer being sent from location A to location B – rather it is sent from any location to any location. I.e., data sources are now mobile. To deal with this paradigm shift, any data protection solution needs to cater for data mobility. VSN can track data-sources dynamically to secure data regardless of location. VSN protects from Man-in-the-middle attacks and data theft by leveraging techniques like encryption, micro-segmentation, and zero-trust-access with the aim of reducing the attack surface for hackers. The smaller the attack surface, the harder it is to exploit security vulnerabilities and therefore steal data.
Protecting data in-transit is undoubtedly important, but as noted previously, it’s one piece of a larger puzzle. I always come back to this. Educating users about cyber security is equally important. Cyber security awareness is critical to ensuring that the impact of intentionally or unintentionally bypassing security measures is well understood. Technology can help, but the human factor cannot be ignored. Users need to be prudent and must appreciate the impact of for example clicking on email attachments. Opening an attachment may seem harmless but it can lead to the whole business being compromised. The attachment may be the thing that opens the latch on the front door to your business data. The hacker steps into your sitting room, thank you very much, in effect sitting beside you rifling through your documents.
Cybersecurity must be taken seriously and must not be ignored. The approach of “I have nothing to hide” or “Attackers are not interested in my data” can have serious security impacts for any business.
So, businesses must employ a multi-faceted approach to cybersecurity. VSN is a critical tool offering enhanced cybersecurity protection for businesses, but its efficacy must not be minimised by users wandering off into the high-risk, back streets of the web.
We have heard a lot about “zero trust”. What role does it play?
Rotem: Important question. With today’s Internet you must start from a stance of distrust, so we talk about VSN offering intrinsic “zero trust” architecture. Zero trust means that access to data is minimized, ensuring that only those who need access, have access. Attacks can come from anywhere or anyone, so the position of unrestricted data access, even if they are an employee, is no longer desirable or attainable. This means that inside a Virtual Secure Network with Zero trust, there is safety; outside it, well, who knows? Very often it’s ambivalent. It is better to distrust or an employ a zero-trust approach to data access rather than give a potential hacker access to your business’s data.
So, the VSN offers a safe communication space for small organizations, very large ones, homes, hospitals, government departments and industrial plants. It is a secure network that covers any distance; any place the Internet reaches, fixed or mobile.
Got it. So, do I only need VSN to ensure my data is secure?
Rotem: As mentioned, data protection requires a multi-faceted approach. As an industry we are learning, evolving, implementing tools like zero-trust to defend ourselves. We must continuously evaluate our cybersecurity posture and adjust. Cyber security requires an all-in approach across the whole of business and really across the whole industry.
We believe VSN will play an increasingly important role in closing cybersecurity gaps. We see it being widely adopted for very practical reasons: the cost of a secure communication environment isn’t high, while the cost of data theft can be almost bottomless. It is not just bankruptcies, but lives that can be at stake – think of hospitals infrastructure being disrupted. That may sound a bit dramatic, but it’s all too true.