When the heads of 19 countries and the EU flew into Brisbane last November for the two-day, $400 million G20 conference, they floated in on a three-year bonanza for the channel that has reoriented Queensland as a centre for information security opportunities.
Even before the VIPs took the scorching ride from the tarmac to their five-star hotel rooms, the 4000 delegates, 2500 journalists and some 1000 assorted hangers-on attending the Group of 20 event were protected almost one for one by 5000 police and 1900 soldiers.
The physical security bill was eye-watering: the Australian Government gave $100 million and the Australian Defence Force $8 million to lock down the G20. Security guards cost $34 million, and then there was the bill for an ammunition stockpile ($25 million) and bomb-proof Mercedes-Benz limos to ferry leaders in style ($1.8 million). There was even $2.9 million to hire 27 kilometres of 2.8 metre-high steel fences, barriers and gates (apparently sheep farmers snapped them up for $500,000 after the crowds went home).
But spending also flowed into information security. One of the requirements for hosting the prestigious event was the state spend $457 million over 15 years on a secure digital radio network, to be managed by Telstra (about $50 million has been spent, to date).
The Department of Science, IT, Innovation and the Arts also committed $3.12 million over two years to 2015 for its Tactical Cybersecurity program. The Queensland Police Service spent $1 million of its $2.07 billion annual budget last year upgrading its IT systems for the G20.
And it spent $18.5 million on mobile devices providing real-time information so beat cops could respond to incidents more quickly. And security testing, risk and compliance will take a chunk of the state’s $19 million one-stop shop eGovernment portal.
Information security consultancies say G20 spending, coupled with the state government ousting an infosec consulting incumbent, caused their businesses to flower even while traditional IT is stagnant or in retreat. And there was a sense that Queensland had fallen behind in securing its critical infrastructure, highlighted in a 2013 Queensland Audit Office report that found Brisbane transport systems vulnerable to cyber attack.
The new services and intense scrutiny led to issues such as compliance, penetration testing, and guarding against social engineering and other malicious attacks landing on the desks of decision-makers.
Urgency was amplified by high-profile attacks in the past 18 months on the likes of Sony and Target in the US. But still too many of Australia’s boards are too intransigent to see the danger, says Phil Kernick, the founder of Adelaide-based security consultancy CQR.
“They have no experience in [information security]. The industry I live in didn’t exist until the late 1990s,” says Kernick, who opened a Brisbane office on the back of G20 business. CQR has about 40 staff in Adelaide, Melbourne, Sydney and the UK.
“For board members in their 70s, for 50 years of their life, IT didn’t matter. If you talk to these boards, they will say it’s a marketing problem and that’s neither true nor sensible. There’s merit to having younger people on boards who understand the issues.”
Kernick says boards are very bad at managing risk. “People don’t even understand the concept. Risk is like cattle, it’s not like bugs. You have to understand and manage it; it can’t be eliminated.”
Technologists scaring people with threats such as director liability are also culpable. Kernick, who advises the Queensland Government and ASX-listed companies, instead advocates enlightened self-interest.
“The issue comes down to personalising the risk but without the beat-up. If you tell [directors] they’re personally liable, they say, ‘Show me a single board member that has ever been sued’.
“Instead, you say, ‘But if you don’t protect the information your organisation keeps, when the bad guys get in they will know your home address and what you pay in school fees’. And at that point [the response] is, ‘Holy crap!’ You can imagine the look on their face: ‘It didn’t occur to me before’.”
Kernick says his compliance-management business is growing “hundreds of percent year on year”.
Intalock’s Julian Haber is also riding high on Queensland’s heightened information security posture, reporting “monstrous growth” last year. Intalock, the Brisbane consultancy he founded with his wife, has seen a dramatic uptick in business each year since it formed out of Symantec’s consulting organisation five years ago. It now specialises in Symantec solutions, data security and management, and managed security services.
And while he’s not seeing as much compliance work as there might be if Australia’s compliance laws had teeth, Haber says penetration testing and sales of hardware and managed services is rocketing. The Sydney office it opened a year ago to serve its financial institution customers is also growing.
One of the biggest contributors to growth was a “significant win” with the Queensland Government’s Tactical Security Progran to support the G20. “The state government has made major inroads in cyber-policing, but the job is never over,” Haber says. “They’re probably leading the way among state governments: not as mature as some federal government departments, but for state governments they’re doing a pretty bloody good job as long as they keep it up.”
Intalock provides vulnerability assessments to the Queensland Government and managed services for gateways responding to malware traffic, he says.
Although Queensland was “incredibly effective” at thwarting distributed denial-of-service attacks, malicious actors are escalating. “If they had reached their destination target, they would have downed whole government departments.”
Many organisations, oblivious to what is on their network, exacerbate the problem. “We also work with clients to build out a response plan if a critical asset were compromised. The best technology won’t keep bad guys out. We need a balanced approach to cybersecurity; it should be about monitoring and response, as well.”
He says a budget split of 60 percent to prevention and the rest to clean-up and analysis is about right for many big organisations.
Next: Security acquisitions
The growth in information security business hasn’t escaped the notice of larger security and service providers that have been snapping up the boutique providers.
BAE Systems kicked off the recent acquisition cycle four years ago, with its $24 million buyout of Sydney IT security provider Stratsec that had bought rival SIFT a few months before. The parent British security and defence behemoth recorded 2013 revenue of £18.18 billion ($34 billion).
And last October, Telstra paid an undisclosed sum for its partner, Brisbane IT security consultancy Bridge Point, which employs 75 staff across Australia. The buy, coming soon after Telstra bought integrator O2 Networks, filled a blank in Telstra’s Network Applications and Services (NAS) portfolio. Bridge Point focuses on security, governance, risk compliance and data-management consultancy, and provides a growing suite of managed services. It counts among its customers Queensland Government departments such as Queensland Health and the departments of transport and education, as well as Suncorp Group and BP.
“Working with a large government organisation, we see the same issues come up, so rather than take their money, we sat down with their applications and development teams and gave them recommendation on secure development practices to address the sheer majority of issues at the source,” says Bridge Point managing principal consultant Michael Trott.
He says the organisation had a “very broad attack surface”, meaning hackers had breached its systems on a “number of instances”. And while the breaches “weren’t as severe as they could have been”, the fact that malicious actors were getting in was worrying.
Trott says developers are often to blame because most have never heard of secure software development. “And software development houses don’t see security as a core focus. Functionality is king – they’re more worried about getting the products out in the world and they worry about [security] later.”
Key to Bridge Point’s success in improving security was introducing developers to the Open Web Application Security Project (OWASP) that bills itself as a “worldwide not-for-profit charitable organisation focused on improving the security of software”.
OWASP’s marquee contribution is its top 10 list of the most critical web application security flaws that includes text injection (such as mangling a URL in the browser to access a database record) and cross-site scripting (XSS) where evil content piggybacks on the permissions of a trusted website.
“Developers aren’t aware of these requirements or understand the ramifications,” Trott says. “A lot of the tool sets developers use, while they’re efficient in enabling developers to push out reasonable-quality code, do not have the ability to identify systemic [security] issues.” But tools such as SourceClear promise to help developers write secure code.
Smart end-customers want experts to manage their risk just like they do their accounting, audit, legal and other professional services, says CQR’s Kernick.
It’s a point echoed by Shane Martin, enterprise strategy consultant at Huawei and former CIO of property developers Mirvac and Stockland.
“The customer will continually get asked, ‘What is the risk profile?’ So managed service providers need to be able to respond to these questions,” Martin says. “If I am running your services, your communications, your servers, what is the disaster recovery? What certification do you have around penetration testing? What is your incident management approach?”
He advises resellers to add risk management to their portfolio of services: “Customers need some comfort from MSPs.”
Tactical advice
Customers are looking for managed security service providers to offer tactical business advice, says George Piatta, information security manager of investment management company Perpetual. Although not authorised to speak on behalf of the wealth manage-ment group and limiting his comments to his personal view, Piatta says that resellers, “instead of giving us a massive brain dump, should give us their experience implementing Salesforce [for instance] in other customers”.
A former security consultant, Piatta pays attention to whether providers are gauging the organisation’s risk appetite. Providers must also map technology to the language of the boardroom and business outcomes, he says.
Cloud adoption is a risk for financial-services companies, he says. He’s influenced by the Cloud Security Alliance and the Jericho Forum. The latter works to remove the boundaries between an organisation’s network and the outside world. He says an IT service provider must create repeatable cloud templates for their customers that evaluate data leaks, contractual security clauses, and audit services to meet Australian Prudential Regulatory Authority and Privacy Act requirements.
“Now the perimeter is extending into the cloud and mobile devices; it is very much grey.” And Piatta says resellers must know the “business requirements to make sure business continuity is in place and be able to support the business with a security architecture”.
Piatta is close to all parts of the business, which gives him the jump on social engineering attempts, he says. For instance, service desks need clear policies about what can be disclosed, while marketing and HR need guidance about what can be said on official and employee social media.
On the technical side, organisations can lower their risk by implementing two-factor authentication, such as texting a confirmation password to a phone over SMS, says Oh Sieng Chye, malware researcher at antivirus vendor ESET.
“Unlike large, complex security architecture, two-factor authentication serves as a scalable and cost-effective way to protect many businesses,” Oh says. Although he lists the biggest threats of 2014 as Poodle, Heartbleed and Shellshock, it is data breaches and leakages that will dominate this current year.
“Most cyber attacks [use] social engineering. Koler ransomware, spread through pornography websites, would lock [the device] pretending to be an Australian Government authority claiming to have found illegal material and demand a fine to return use.”
And despite the sums spent on protecting the G20, an email containing a Word virus spread to supporters of Tibetan freedom. “By pretending to be a benevolent organisation, many Australians were tricked into opening an infected file that they may not
have opened were it from a different source.”
Look beyond
As part of an audit, resellers should look beyond their customers’ firewalls to those of their clients’ suppliers or customers, says Bryce Boland, chief technology officer of vendor Fire Eye.
“The supply chain is becoming one of the biggest threats for business today. We’ve seen a lot of attacks supplying the supply chain to larger organisations,” Boland says. “As organisations become more mature in risk management, often the weakness will lie in someone they trust that doesn’t have the maturity yet.”
The shift to cloud and its complex web of providers widens exposure, he says.
“As you put what matters most to your business – intellectual property, customer information, core business processes – into third parties, you’re expanding your risk. Business can manage some of their own risk reasonably well, [but] they have less control and awareness of the risk of their partners.
“From the attacker’s perspective, attacking a service provider that hooks into many businesses is more effective. That increases your risk because companies providing services to other companies are becoming much more valuable targets to attackers.”
But despite advances in the threat landscape, at a high level the war hasn’t changed in 20 years. Battle-scarred information security warrior turned angel investor and property developer Drazen Drazic says companies are driven by short-termism. This translates to cutting costs and pursuing “glory” IT while ignoring risks.
“CIOs will always be better at whiz-bang technology, and it looks better to the board and shareholders,” Drazic says. “Security isn’t so sexy; and how do you quantify the result? It’s not a big glory job because there’s not a lot [that is] tangible there to demonstrate what someone is doing.”
He’s also critical of a gathering of Australian company directors last year that “brushed over” IT as a priority: “That was a bit of a concern”. (A 2013 global IBM study of senior executives found that while every other country surveyed put IT at number-one priority, Australians put it third place behind regulatory compliance and, distressingly, competition.)
He blames a lot of the woes that surround companies such as Sony on a management culture that pushes security responsibility down to IT. The opportunity is for resellers and consultants to push for meetings with senior management.
“I don’t have a lot of confidence that companies are putting the fixes in. If you patch a system then you’re just stopping new hackers getting in and not getting out those who are already in there.”
And despite founding Securus Global, one of Australia’s leading penetration testers, he’s ambivalent about the benefits for organisations engaging such services for security theatre. “If you have bad process and security in your whole organisation then pen testing won’t help you.
“Most of our clients understand they have to be worried about security but Australians, overall, are pretty lax about it,” he says.
He advises the channel to make the security discussion about the culture of their customers’ businesses.
“Every company we talk to, we stress it has to be part of day-to-day business and culture. It has to be there at the forefront of your mind. You have to think: what are your security obligations?”
Once the consultant has built up trust with the client, it’s time to get down to straight talking on risk. Drazic says that until there is trust, there will always be cynics within the client organisation who see it as a sales pitch. But once the trust has been established, “we can be blunt with our clients and at least get them to listen”.
“Everyone always assumes that someone else in the company has it under control,” he adds.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
