What’s the best way to patch up a cyber security vulnerability?
Pretend it’s not there, of course.
It might sound like a bad joke, but it’s this attitude that has stood in the way of cyber security experts, such as Gary Gaskell, for the past 25 years.
Throughout his career, Gaskell has spent time spent working for universities, prominent banks and government departments.
And even as the 2013 Information Security Professional of the Year and a leading consultant in the field, there have been points in his career where his advice was falling on deaf ears.
“I was reflecting on why something like 20% of clients essentially rejected some of the observations because it was an inconvenient truth or something,” Gaskell said.
“I thought, ‘Okay, I've got to write better reports. I’ve got to be more logical.’”
However, upon further reflection, he soon realised the problem wasn’t his reports.
Clients were choosing to believe that bad things wouldn’t happen to them.
The early days
After a cryptography subject at the Queensland University of Technology sparked an interest in information security back in 1993, Gaskell has since devoted his career to ensuring cyber security is taken seriously.
Gaskell is one of the founding members of the Australian Information Security Association, taking the role of inaugural chair of the Brisbane branch in 2001.
And it’s this passion for cyber security that nearly cost him a job with a bank early in his career.
“I particularly remember starting at the bank, they said, ‘Look, I know we hired you as a security architect, but we really need someone to do this other [IT] work,’ and I'm like, ‘No, that's not my career plan. I think there's a bright future in cyber security.’”
“I declined, and I said to them, ‘If you didn't seriously hire me to do the security architect's job, let's just say I never started and I'll walk out.’
“That was day two.”
Although it got off to a shaky start, Gaskell worked extensively with the banking sector in the early days of online banking.
One of his most memorable jobs came at the turn of the millennium with one major Australian bank, when he was tasked with creating the security plan for its first-ever internet banking system.
Fast forward 17 years and online banking in Australia is serious business.
In 2016, Australian comparison site Finder found that Australians made a total of 606 million transactions using online banking in the previous financial year, with 41% growth from 2014.
Just like its popularity, Gaskell has seen the security measures around online banking, and in other industries, transform in his time.
He explains that it is no longer a lack of security mechanisms from banks that poses the biggest risk when it comes online banking – it’s us.
“Modern internet banking systems have really accepted that incidents will happen, and we don't.”
But according to Gaskell, this is driving a shift in the way in which banks and other websites protect customers online.
“The biggest weak points are the endpoint devices that the users are using,” he said. “So, there's not actually fundamentally trusted devices to log in from.”
“The banks actually detect anomalies based on probably a hacked workstation or a hacked Android phone and limit the transactions.
“The balance has changed from being solely focused on preventive controls to having a serious focus on detective and preventing controls, detecting and responding to the incident."
Seeing the change
In Gaskell’s current position of Principal Consultant for Infosec Services, he sees the differing approaches toward cyber security from a range of industries.
At times, he explains, businesses would still rather pretend nothing is wrong when a major cyber vulnerability appears.
“If you look at a system where it's had appalling security and it's really lacking, a CIO and CEO, who believes they’re fundamentally excellent managers, they don't want to hear the message that they’ve totally mismanaged the security of a multimillion-dollar IT project.
“Let’s face it – no one would!”
However, changing the perception and language used around cyber security is helping businesses choose to improve their cyber standards.
“Communicating to those people that it's not challenging their view of themselves as good managers, but pitching it as an improvement opportunity, so they can demonstrate how good a manager they are because they found these issues and they're going to fix it, so they own the problem.”
Additionally, major incidents, such as the Equifax breaches last year, are now driving top-down change in boardrooms around the world.
“The big change is executives and the Prime Minister are talking about it.
“That's driven change because people are having board-level discussions and people go, ‘Well, are we on top of this or are we not?’
“Almost every CEO in Australia knows that the Target America and Equifax CEOs lost their jobs because of a major cyber breach.
“That's what's changed. Hence CEOs go, ‘Well, where's my security manager? Has he or she got enough resources?’”
Who can you trust?
While CEOs may now be more willing to employ cyber security professionals to protect their organisations, there is still confusion when it comes to discerning who is and isn’t an expert.
“Anyone who comes out of uni or downloads a couple of tools onto their laptop can overnight set up a web page and call themselves a security expert.
“You can't do that if you're a civil engineer, or a doctor, or a lawyer, but this is what happens [in cyber security].
“I see the wildly varying quality of work in my work by other people that have claimed to be security experts and too often, they've been quite naive.”
What’s the greatest fear of one of Australia’s leading cyber experts?
“It’s the fact that we’ve built our economy on a fragile system of software,” he says.
“Software systems are very complex and we cannot produce software that is reliably secure in the current software market.
“How confident can we be connecting every business and government to the internet when there are vulnerabilities announced every day – somewhere between 10,000 and 18,000 of them in 2017.
“Essentially, we’re crossing our fingers, hoping for the best – hoping that the really serious hackers target someone else.”
Gary Gaskell is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.