A former police officer detective who was among the first people in the world to run a dedicated computer crimes division, David Thompson has seen it all.
Starting from scratch in the late 1980s, Thompson – then a ten-year fraud investigator with the Victoria Police – set up and lead the Computer Crime Squad for a further 10 years before retiring to the private sector during the ‘dot com’ boom to commence his current role as an information security and forensics consultant.
His current firm, FSR Consulting, provides cybersecurity consulting and digital forensics capabilities to companies that are increasingly wrestling with the complexities of security in an era of digital transformation.
Yet those complexities are not just the result of innovative new cybersecurity compromises and attacker tactics, Thompson says.
Rather, the evolution of cybersecurity risks over the last 30 years has been driven largely by the immediacy provided by increased connectivity.
“In the late 1980s computing was relatively embryonic in businesses, and it was all very centralised with very limited interconnection to the outside world,” he recalls.
“Similar attacks to those today already existed, people were hacked into via their modems, and there very much were computer fraud issues in the early days. But it was limited by the technology, and the problems were related to the state of the technology.”
Over time, however – and particularly as the Internet emerged and then grew to become a global communications force – the massive scale, ease of interconnectivity and security best practices risks rapidly evolved industry exposure to increased potential criminal exploitation.
The interconnectedness of things
Working in the private sector, Thompson regularly sees common and persisting issues creating vulnerabilities for organisations.
“The early fraud challenges – around the value of digital information and the ability to copy, duplicate, and misuse it for personal or competitive advantage – still exist,” he explains.
“It’s really about misuse of systems that people are entrusted to use for their day-to-day work.”
Businesses are still struggling to recognise the value of their information before wayward employees or outsiders do – and this, Thompson warns, is creating endemic vulnerabilities that executives are failing to tackle head-on.
“People have become more aware of cybersecurity issues over time, but they have many other business issues to focus on as well,” he says.
“This has made it slow to get the attention of senior business executives – which means that organisations need to call in consulting assistance to give cybersecurity the proactive and reactive attention needed.”
Organisations would be well advised to call in that assistance sooner rather than later: with the Internet of Things (IoT) paradigm rapidly adding new vulnerabilities and touch points to enterprise networks, Thompson warns that things are about to change dramatically once again.
“We are right on the cusp of a major technology explosion into what people are calling the hyperconnected world,” he explains.
“This is that world of IoT, smart systems and ubiquitous computing in which everything is connected to everything, and digital things are being connected to physical things.”
“It’s a new phase of the digital world, like when the Internet came along, and the threats and potential issues have a greater potential of occurring.”
Think forensically
With Australia’s notifiable data breaches (NDB) scheme and the European Union’s general data protection regulation (GDPR) now in place and consumer data right (CDR) legislation looming, Australian organisations must have a better grip on their data and tighter controls over it than ever before.
Those regulations “are helping people realise that this is a critical issue for business,” Thompson says, “and that they will need to be able to identify data breaches and report them when they affect other people.”
“It’s raising the awareness of the obligations of everybody to protect and respect others’ personal data.”
To meet the requirements of this heightened regulatory environment, Thompson says, businesses should be investing not only in defensive technologies but also working hard to implement proactive monitoring and logging tools that track exactly what is happening in their environment.
“We’re at a point in time,” Thompson explains, “where the digital world is rapidly changing and about to expand into a whole new period where physical cyber connections, smart autonomous systems and IoT devices will bring new risks and increased potential for breaches and attacks.”
Such capabilities not only offer direction for forensic investigators in the event of a breach, but when paired with automation they can improve and hasten the company’s ability to quickly detect and respond to security incidents.
“The more that people have recorded in their system, the more prepared they are for investigations of the facts,” Thompson explains. “Proactive monitoring and logging are very important to help respond to an incident.”
Matching threat levels and threat response
That ability – or the lack thereof – is what keeps Thompson up at night.
The biggest threat we face at the moment, he explains, is “the complexity of systems and the ability of owners and operators to truly understand what their systems are doing – and what they’re interconnected with.”
“Forensic rigour is required to investigate and prove what has occurred to a high enough level of proof, whether in a commercial dispute situation or a complex legal situation.”
“We need a more robust and thorough version of the things that we talked about 30 years ago.”
By inventorying their data assets and implementing secure process structures, companies can keep themselves ahead of potential compromises and minimise their exposure to the fast-expanding interconnectedness of things.
Yet with the three key defensive tactics – including cybersecurity and digital risk issues in broader risk-management frameworks, undertaking regular threat and vulnerability assessments, and monitoring and logging system and user activity – Thompson also warns of the importance of a fourth key element.
That element is cultural change – ensuring that staff understand the issues at hand and the threats they face, as well as their role in the corporate response.
Ultimately, companies should have in place a holistic program that allows them to understand what their risks are, what controls they should put in place, and how to respond if they unfortunately have an incident.
“It’s a matter of choosing those controls to meet the level of concern you have about the threat,” Thompson says. “It’s never going to go away; it’s a totally digital business world now, and digital security issues are just a part of normal business.”
David Thompson is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.