The need to look beyond cyber

elevenM Principal Pete Quigley explores whether a siloed mindset is constraining the value digital risk professionals can bring to organisations and their clients.

I was lucky in the early 2010s to be consulting into Australia’s financial services industry when AWS came to town. I saw first-hand the internal struggles between business and technology teams who wanted to adopt a cloud-first strategy and risk, privacy and security teams who felt they were giving away the keys to the castle.  

Based on my position at the time with PwC, I had a number of fireside chats with the technology risk team from APRA, Australia’s financial services regulator. APRA foreshadowed an impending situation in which institutions would become reliant on digital channels to service their customers, but would lack visibility into what individual services and vendors made up those channels.  

Fast forward a decade and most revenue producing digital channels leverage a multitude of vendors to provide critical online services. One such widely-used vendor who has been hitting the headlines recently is Akamai. 

Akamai provides a number of services to optimise and protect digital channels. The nature of these services requires that you allow Akamai to manage critical digital services like Domain Name System (DNS). For those unfamiliar with DNS, it acts as the phonebook of the internet and allows users to connect to websites using domain names such as elevenM.com, instead of IP addresses.  

DNS is commonly considered to be a fragile system. When there are errors in the use or updating of this phonebook, users can’t find websites. This was the case with Akamai recently, whose DNS failure led to a massive internet outage

When I am asked what elevenM does, I usually revert to our tagline of ‘specialist cyber, privacy and data governance professionals’. I say that because it is what people understand and can draw a line to specific services and, indeed, specific outcomes. Within elevenM, however, we talk in terms of digital risk – the risk our clients face when operating in a digital economy.  

The outage caused by a bug in Akamai’s DNS service was not cyber, privacy or data governance related. In fact Akamai was at pains to say the issue “was not a result of a cyberattack”, even though it had very little else to say about the root cause. 

But the issue still had a significant impact on the availability of the digital channels of a large portion of the internet, and thus on the trust and confidence of users of those services – which is arguably ultimately what our industry is about. 

So, is it time we stop talking about specific delivery-focused silos and start thinking in terms of the customer’s digital experience? To more holistically assess risks to those digital experiences and how we are effectively measuring and managing those risks?  

Four principles for contact tracing technology

elevenM Principal Melanie Marks takes a closer look at proposals to use digital technology to support contact tracing, as governments seek better ways to manage the COVID-19 pandemic.


With reports that Australia may follow in Singapore’s footsteps to build a tracking and tracing app which allows governments and citizens to get ahead of the COVID-19 pandemic, we must ensure that innovation and laws are channeled towards the “right” intended outcomes.

The benefits of introducing greater data sharing at a time of crisis are obvious. However, there are also risks, so it’s critical we proceed in a considered way.

For me the key principles are:

  1. Do what you can to save lives.
  2. There shall be no scope creep.
  3. Permissions shall be wound back when the crisis passes.
  4. Post implementation review is essential (covering law and processes).

We need to build for the short term or at least for a series of stages, featuring “gates” where civil liberties are checked before continuing. And we need guarantees that new architectures being introduced will not be put to secondary purposes. For example, whilst we might consider it okay to trace the movements of a COVID-19 affected patient in order to prevent exposure to others (primary purpose), we should not accept that the tracing can be used to identify how far a person strays from home, in order to hit them with a fine (secondary purpose). This is especially so if we consider that channels of procedural fairness may be harder to access in the circumstances (Robodebt comes to mind).

I had a chance to discuss these ideas recently with Jeremy Kirk, together with Patrick Fair and Susan Bennett, in an article published in DataBreachToday. Click here to read more.

News round-up March 2020 — COVID-19 influence on cyber security, privacy and digital risk

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

First and foremost, we wish all our clients and friends the best in these challenging times. We hope your families are well and that your businesses are finding a way to move forward through the current crisis.

Given the present saturation of COVID19-related news, we considered avoiding the topic altogether in this edition of the news roundup, as a way to help our readers step back from the crisis and dip back into business as usual.

The reality, as we’re all appreciating, is that our collective response to the pandemic is unprecedented. It dominates all spheres of our lives – work, home, socialising, shopping and parenting. “Business as usual”, as it used to be, doesn’t really exist at this moment.

So in this month’s round-up, which takes a slightly different form, we look at how COVID-19 is influencing the spheres of cyber security, privacy and digital risk.

 

Key themes:

Security and privacy at the heart of changed ways of working

COVID-19 has heralded an unparalleled change in working conditions, most strikingly marked by large volumes of staff working from home, in accordance with social distancing and isolation guidelines issued by authorities.

Working from home isn’t new, but the scale is unprecedented. IT and security teams have scrambled to ensure that the sizeable increase in numbers of staff working remotely – including many that haven’t done it before – doesn’t translate to an unpalatable increase in security and privacy risks.

Recommendations have been widely published online to promote secure working from home practices, including use of secure networking tools such as VPNs and access controls such as multi-factor authentication. Some also see the current circumstances as an opportunity to introduce stringent IT architectures that will promote greater security long after the crisis subsides.

While technical measures are critical, we can’t underscore how important it is for organisations to also speak to their staff. Issue clear advice about the need to maintain secure practices when working from home, and the continuing importance of protecting the information of customers and of the organisation. As executives increase their conversations with staff at this time about how their companies are handling the crisis, security and privacy teams must also strive to have security and privacy priorities included in these communications.


The highs and lows of humanity

The image of people fighting off the elderly for toilet paper crystallises how the pandemic has, sadly, illuminated some of the worst in human behaviour.

So it was in the cyber realm. Very quickly after the pandemic took hold, authorities observed a spike in COVID-19 themed phishing and scam emails. Also discovered were coronavirus health-apps laced with malwarehijacked routers steering users to malicious COVID-19 sites and the disrupting of online services that the public will increasingly come to rely on.

The expansion of cybercrime infrastructure – such as the registering of new domains, and burgeoning pool of potential money mules – further suggests we could face these new risks for a sustained period.

All the more reason for businesses to start educating their staff now, not least because a state of heightened fear, anxiety and constant desire for new information likely increases susceptibility to threats such as phishing.

For a while, it did seem that cyber-criminals might have an attack of conscience, with some peddlers of ransomware vowing to lay off health care companies. A series of hospital-related attacks showed that to be a false dawn.

While there may be no honour among cyber thieves, there is valour in our industry worth celebrating. Many security researchers are volunteering to support healthcare providers fighting hackers, while a number of security vendors are providing free tools to help their customers be more secure. Some professionals have even set up an online cyber school for flustered home-schooling parents to help teach their kids cyber security.


Cyber workers are essential

As healthcare staff fight valiantly on the frontlines of this pandemic, it’s not unlikely that many of us in professions far removed from hospitals and health clinics are second-guessing how important our jobs are today.

Of course, PM Scott Morrison has declared that all workers are “essential” workers. But for those wanting something more specific , US President Trump also issued guidance this month on exactly what roles make up the essential critical infrastructure workforce.

A number of cyber security roles were defined the list, including workers performing cyber security functions at healthcare facilities and energy providers. The inclusion of these roles in this list affirms that cyber security functions play a critical role in the functioning of society, even in the event of a pandemic-related lockdown.

A stoush between public health and privacy?

If the importance of cyber security was re-affirmed in the previous section, privacy may have taken a backseat, at least momentarily. Various governments, seeking to arm themselves with the information needed to contain the pandemic, have turned quickly to our personal data.

In some countries, like the US, this at least kicked up an ethical conversation. In other jurisdictions, like SingaporeTaiwan and Israel, the public health imperative appears to have overridden any appetite for discussion.

But one should never be too quick to declare privacy dead. Privacy was built for this. Principles such as necessity, proportionality, reasonableness and transparency are more important than ever for governments that will need to maintain public trust throughout a sustained state of emergency.

One of the first tasks for privacy advocates on the other side of this crisis will likely be to ensure that privacy concessions made in the name of necessity are rolled back as the emergency subsides (as signaled here). Beyond that, there will also be an opportunity to re-assess and refine prevailing attitudes to privacy and seek to reframe conversations where the discussion is framed as a choice between privacy and health.