We are living in a time of ubiquitous digital technology. Not only are we constantly surrounded by digital gadgets, but as the cities and communities we live in become “smarter”, we become more reliant on technology for day-to-day services. With rapid digitisation comes an incessant demand for data. and, more often than not, it is our personal data that we directly disclose to various businesses and government agencies, or indirectly exchanged between third parties that enable these digital services.
Alarmingly, incidents of data breaches are becoming a common occurrence, with service providers failing to adequately protect the data that they have collected. Globally, governments are enacting increasingly onerous data protection regulations to protect individuals. An example is EU’s GDPR with penalties of up to 4% of company revenue. In Singapore, the Personal Data Protection Commission (PDPC) has also been active in investigating data breaches and penalising companies found to be in breach of local privacy laws. Yet, data leaks still continue.
Source: Breach Level Index – www.breachlevelindex.com
As a Cybersecurity consultant, I am often asked – “If data always leaks then how can we trust cybersecurity?” I believe that cyber defence should be treated as no less important than the defence of our physical safety and security; to accept cybersecurity as a lost battle could usher in a future of chaos and catastrophe, where trust is completely eroded and our critical infrastructure services could be at risk of attack. But this has been the subject of much expert commentary already and I don’t want to add to the doomsday messages. My intention is to look for practical solutions. As consumers of digital services: we should demand better accountability from service providers and this will pressure them to improve their cybersecurity performance.
Nobody likes to lose their data or have their private information compromised. It is even worse when organizations we trust, such as government, healthcare service providers, or educational institutions lose our data. We must put a higher value on our data: people need to complain to the authorities when they are affected by data breaches. When it comes to businesses that collect our data, we must be more discerning in sharing data and, when possible, vote with our feet by abandoning service providers that fail to protect our data.
We know that it is possible for organisations to attain a significant level of success in Cybersecurity because not all sectors are performing badly. Industries where Cybersecurity has a commercial imperative due to consumers demanding the highest level of security such as the financial services have performed quite well. Whilst we hear the odd story about unauthorised access by hackers to individual bank accounts through trickery or inadvertent transfer of funds to fraudsters, large breaches of customer data from banking institutions are rare. On the other hand, sectors such as health, education, retail, manufacturing and certain transport services are new to digitization, often don’t have direct accountability to consumers and clearly have not reached the maturity for them to reliably protect their customers’ data. These sectors need to adopt a more robust methodology for Cybersecurity, and it must start with the concept of ‘secure by design’.
Organizations that have reached a high level of Cybersecurity maturity didn’t get there by accident or good luck, it has taken them years of investment and fine tuning. They understand that Cybersecurity investment is a cost of doing business and “bake it in” at the onset of projects. But what does baked-in security mean and how can we achieve it? Cybersecurity is a multi-domain framework and there are various technical and non-technical issues that require careful consideration. A methodical approach is required starting with senior management’s buy-in on Cybersecurity as a business risk. The next critical element is security architecture. However, security architecture is one of the most misunderstood and therefore undervalued and underutilized domains of Cybersecurity.
So, let’s demystify security architecture. In the context of IT, architecture is defined as a fundamental underlying design of computer hardware, software or both. Therefore, in the case of Cybersecurity Architecture, we are talking about a fundamental underlying design of hardware and software that leads to securing our digital assets. In other words, security by careful design as opposed to patching security holes as an afterthought or ad-hoc exercise.
Now that we have defined security architecture, the next question is – why do we need it? Firstly, security architecture gives us a clearer understanding of security challenges we are trying to solve and manage, and security challenges can vary greatly from one organization to another. Secondly, the purpose of security architecture is to make our information system secure by design, allowing for better access control, monitoring, visibility, logging and auditing. Thirdly, good security architecture can protect against many known and yet unknown security threats and vulnerabilities.
To better understand this, let’s consider the concept of security zoning and compare it with an example from the physical security world. We are all very familiar with the rigorous security checks at airports when we fly. Airports and airlines around the world have a duty of care to ensure safety and security and therefore airports are architecturally designed to incorporate different kinds of security checks at various security checkpoints. But if a building hasn’t been designed with security zoning in mind it becomes difficult to retrofit security into it – the same can be said of an information system, which should also be designed with a concept of zoning to incorporate security checkpoints.
A well-known pitfall of Cybersecurity is the concept of the “zero-day-attack”, which refers to an attack or threat that hasn’t previously been seen. When such zero-day-attacks are revealed, it often becomes a race against time to find remedies, a difficult task as not all organizations have the capability to respond quickly. Having good security architecture from the outset can either prevent, or at the very least contain, damage from zero-day attacks.
As an IT industry insider, I am not surprised that we are seeing a record number of data breaches. I have seen too many examples of where security is presented as optional, something to do later if there’s budget allowance or just put aside as someone else’s problem. In the physical world of built environment, it is unthinkable to build a structure without engaging an architect. The digital world should be no different, the planning phase of any information service should always involve an architect. If the ultimate goal is to deliver a secure system, then security must be baked in from day one. At the end of the day, Cybersecurity can boil down to a simple equation: Security Architecture = Baked-in Security = Secure by Design.