Spill the IT Ep05 (Part 1): Security – who's on the door?

Welcome to the Fasthosts ProActive Podcast: Spill the IT. Each episode, we'll sit down with some of the amazing ProActive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.

Security is a huge topic for a reason so we've got our Head of Security at Fasthosts talking with the team about changing your business culture around security.

Listen on your favourite platform!
Want to listen on your go-to platform? We're on those too...

Episode transcript:

Intro (00:05):

Welcome to the Fasthosts ProActive podcast, Spill the IT. Each episode, we'll sit down with some of the amazing proactive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.

Graham (00:29):

Well, hello again and here we are for Episode 5 of the Fasthosts ProActive podcast. My name's Graham and I'm going to be your host for today's recording and with me, I have Dan, who's the senior service owner at Fasthosts ProActive. I've got Gary who's also here who's the solutions consultant and I also have CJ who's head of security operations. But they're going to do a far better job in just telling you a little bit more about themselves and for those people who've not been on the podcast before. So let me start.

(00:57):

Actually, I'm going to start with you, CJ, since you're new for one of these podcasts.

CJ (01:02):

So myself, I've worked in IT well over 20 years. I've been security focused for the past five or six years. It was just mentioned, I'm head of the security operations team here and I'm responsible for technical security here at Fasthost.

Graham (01:13):

Fantastic.

Gary (01:15):

Hey, I'm Gary. So I'm the solutions consultant for Fasthosts ProActive. I'm the person that takes all of the business problems and turns them into nice technical answers.

Graham (01:27):

And Dan.

Dan (01:27):

Yeah. I'm the senior service owner. Again, I'm part of the 20 Plus club. I'm here to help shape the managed services and enable them to meet our customers' needs and I've been on both sides of those camps, so I've both been delivering managed services over the years but also consuming them as well.

Graham (01:46):

Fantastic. Well, that gives all our listeners just a little bit of an overview of who you are and before we start, so as I said on our last podcast, we're starting to get people sending in questions which is really good so we've got a fan base. They're not exactly sitting outside the front door waiting for signatures or autographs from you but we've got this listener question and it says, "Hello, Fasthosts ProActive people," which I thought was rather nice, "I listened intensely to your last podcast on the subject of cost of ownership and this is great," and it says, "Because I'm right in the space right now for considering my options, I'm just so worried about allowing my cost to be so variable month on month. Am I being stupid or am I just being a little bit too OCD?" Dan?

Dan (02:27):

Yeah. I mean, I'd always start that with, "No, you're not being stupid and don't worry." You need to understand what your likely costs are going to be and there's various ways and means that we can help people do that. We also luckily offer both variable and fixed costs for a lot of our services for infrastructure. So by all means, come and have that conversation with us and let's see the best way for you to get the reassurance that you need.

Graham (02:57):

So nothing to worry about here. Gary, you got anything to add to that?

Gary (02:59):

No, I mean, as Dan said, we've got a varied pricing model and from my perspective, it comes down to getting that resource level right at the beginning. So having those conversations, looking at the likely need, making sure that we've got the ability to flex that should things change.

Graham (03:19):

Fantastic. So nothing to worry about. So let's get straight onto this month's podcast title. So we've named it, "So you've migrated to the cloud but who's on security? Who's on the door?" So there's a lot of ongoing debates right now on which is more important. Is it around security or is it around network stability? Is system uptime more important than security?

(03:40):

Well, probably, we could probably argue both is very, very important. But today, we're going to talk around security and the growing need to pay attention to both on-prem, hybrid, or cloud solutions. So team, what's your individual view on the increasing issues around security? CJ, I'm going to ask you go first because it's your hot topic.

CJ (04:01):

It is my hot topic, absolutely. So security has become a huge focal point for many, many businesses and much more so recently just because the media coverage around it. So it seems like every week you are hearing about another new company that's had an issue and the security landscape is absolutely changing but what we are definitely seeing is different trends in the industry and different ways that attacks are evolving, that are causing people issues.

(04:24):

Tying into that of course, is that since the introduction of things like GDPR and so forth, companies are much more aware of the financial implications of getting security wrong so it's a huge topic, really important. Of course, we're not going to get through everything today, aren't we? Because it's just such a big thing but hopefully, we can highlight some of the big wins and big important factors around it.

Graham (04:44):

Yeah. Really good. Gary?

Gary (04:44):

Yeah. I mean, for me it's, yeah, everybody is a target. Historically, it was the big corporates or the governments who are being hacked for moral reasons or nation state activities. Now, if you've got data, you are a valid target for the bad guys.

CJ (05:03):

And I think just tying into that, I mean, again, it's financially driven these days. We've got cryptocurrency as a huge thing these days. Anybody can make some money by getting a piece of malware on somebody's computer and ransomwaring it and things we'll talk about more later. But as Gary was saying, the landscape has very much changed.

Graham (05:20):

Mm-hmm. Dan?

Dan (05:22):

It's really difficult going third because there's a lot of really good answers there. I think for me, I've been both poacher and gamekeeper in the security game over the years and points there about the move away from script kitties just because I can through the state led interference and obviously, the monetization of it at the moment are all on point.

(05:42):

I think when you look at this in terms of cloud provision, I would always encourage people to think about third party risks. So if you're getting somebody else to look after your stuff for you, the assurance that you need around them complying to the regulations that they need to for your business and they're actually executing best practice in those areas.

Graham (06:05):

So Gary, we were talking earlier, weren't we today? And we were talking about what's keeping people awake at night? What's keeping IT managers awake? I think you said that IT managers were working roughly on sort of 14-hour days which is crazy but what's keeping them awake?

Gary (06:22):

For me, the big thing is the unknown. We've all just spoken about how the landscape is evolving and I think that's a very, very common phrase when you're talking about IT security and what's keeping people awake is what they don't know and how can they ever keep up with this constant change?

(06:45):

There's a new threat now. A lot of the ability to launch attacks is a lot easier. People are doing malware as a service. You can actually rent a platform from other bad guys to do bad things. So it's always changing and part of that change is that access to platforms that let you do bad things is becoming more and more accessible and how does an IT manager who has that accountability, how do they keep up with that?

Graham (06:45):

How do they keep on top of things?

Gary (07:18):

To be honest, they can't. So I think that's enormously scary for individuals and certainly, when I was on the other side of the fence, that was definitely one of the things that kept me awake at night.

Graham (07:27):

Dan, what are you seeing?

Dan (07:28):

For me, I've got a slightly different sentiment on that and I'd say the unrehearsed so-

Graham (07:34):

Yep.

Dan (07:34):

And my team used to absolutely dread me doing it. I used to do business continuity desktop exercises with them and I'd get them all in a room, the infrastructure leads, the system leads, the IT managers, and I would present them with a horrendous situation and I think while a lot of security is based around the physical mitigations, the pieces of software, the preventative measures, there's something in this for me about more about the human factor and about how people work together as a team in order to get over some of these events. You can't plan for everything. You don't know what the next big thing you're going to be nobbled by is going to be. But I think getting your team together and allowing them to think security and work problems through, and I used to throw them some unwinnable solutions, but it wasn't about coming out with the right answer at the end. It was about-

CJ (08:28):

How very Star Trek of you.

Graham (08:30):

I was just thinking that, CJ.

CJ (08:30):

It could be actually more rude, I think.

Dan (08:34):

Yeah. I literally used to do those exercises with them and it's about how they work. Security is not just about the physical things, it's about how people work together as a team as well.

Graham (08:44):

Yeah. Interesting. So getting them in the room, that big whiteboard that you were talking about-

Dan (08:47):

Oh yes, yeah.

Graham (08:47):

Which you love. I think Fasthost is going to get you one of those now.

Dan (08:50):

Hopefully. It's on my Christmas list.

Graham (08:51):

CJ, what are you seeing?

CJ (08:53):

I think and just tying into some of the stuff that Gary and Dan have been talking, for me, one of the things that worries me is when people start to get complacent about their data security and we talked a lot about malicious actors and threats and so forth, but data security isn't just about stopping the bad guys, it's about protecting your data from just traditional things like human error within your own business.

(09:13):

So we're talking about making sure your data is kept secure and yes, a huge part of that is making sure that the bad guys don't come and get your data or affect your data or do some changes or grab it. But it's also just about that person who accidentally clicks delete on the wrong place in the database and I forgot to do it transactionally. We've lost all the data. What's going on now? That's where you still have issues in the big corporations and we saw it. What was it?

(09:36):

When CloudFlare went down when they had... There was an SSL cert issue with the rollout and it was simply human error but it took half the internet down and more importantly, you took down half the internet to the places where you find out how to solve the error which you suddenly couldn't get to anymore so who knows how they fixed it? But yes, it's that complacency of like, "Hey, we've secured everything against all of the bad guys out there," but still not looking inwards and just making sure that you're staying on top of best practices.

Graham (10:01):

So what are the hot topics right now? So what's not being... Let's talk about what's not been spoken about, almost like the elephant in the room almost. What needs to be spoken about more?

CJ (10:11):

For me, data backups and quality of backups is a huge, huge topic and one that is not glamorous, is not fun, is not interesting and people don't tend to do it and there's a cost implication. It's really, really hard with some datasets to make sure you've got a good backup and a reasonable backup that's available at the right times and so forth. But particularly, when we see some of these high profile ransomware attacks, the only protection that is guaranteed to protect your data is to have an air gaps backup and a quality air gaps backup as well.

(10:40):

By air gaps, I mean not something... So once somebody has gotten onto a system, if it's air gapped, it means they can't then get onto that other system. So with backups, that traditionally is a... Let's go for the simplest solution. It's a USB drive stored in a safe. The bad guys can't get at it. It's not connected to the same network. It's not something they get ahold of. And it then means that if all your data gets completely trashed, you've got that backup, it doesn't matter. You can just go and restore that data from a set point in time.

Graham (11:07):

Gary, what isn't being spoken about?

Gary (11:10):

I think to echo that point and also what Dan was talking about, I think it's about rehearsal. There's a great saying I love which is, "Everybody's got a plan until they get punched in the face," and then everything changes, right? So for me, it's about practicing and when that comes to, as Dan said, whether that's desktop exercises... Actually, what would we do? We've got a plan, what would we do to execute that plan if the proverbial hit the fan?

(11:42):

And moving on to what CJ was talking about, everybody's got backups except those who haven't. How many of those people can hand on heart say, "I know that I can get my data back from that backup should I need to." So I think... I mean, it's about practicing. Policies are great, security measures are great but you've got to test them. You've got to do those practice runs.

Graham (12:07):

Scenario testing so creating that.... Dan, it's what you were saying just a moment ago, wasn't it?

Dan (12:07):

Yeah.

Graham (12:11):

I guess putting people in the room and creating havoc and saying, "This is the scenario."

Gary (12:16):

And I'd much rather people worry and freak out in those kind of rehearsal situations than they would do in real life when you really hit some of those events so it was drills. They didn't enjoy it. But when we subsequently had some issues like every IT organization does and for me, this was with a previous employer, the folks were a little bit more calmer, a little bit more collected, they'd developed their... If not on paper, they developed their mental runbooks. They understood who they needed to speak to and they could execute a bit more calmly.

(12:53):

I think in any of these situations, because these are all horrible situations, right? It's whether you're being DDoS-ed or whether you've got a backup that won't restore, these are not pleasant situations. So I think it's important to keep a level head on those things.

CJ (13:07):

And it's about normalizing these concepts. So certainly, as Gary was saying, how good is your backup? I mean, we have a saying in security, your backups are only as good as your last restore test and you need to get into a process whereby as a normal course of events you are testing that your backup has the right data in it. Something we do quite regularly, certainly with the really important data.

(13:26):

When we first started doing this many, many years ago, it just felt like a chore and everybody got... Now, we just have whatever it is, whatever's appropriate, a quarterly test, a monthly test, and you just get the right people and you go, "Hey, we're going to do a test restore. Let's just make sure everything goes well," and it also then means that when, again, the proverbial hits the fan, everybody also knows what to do. We have the playbooks, we have the documentation, we have the data, it's here, we know how to do. It also means your time to restore is that much quicker.

Graham (13:52):

I think when we were developing the proactive managed services, you look at our managed backup service, it has that baked in. Those restores are baked into us and that's because we are not just taking a backup product off the shelf and installing an agent and, "Away you go. It's magically backed up." This is coming from a place of experience for us.

CJ (14:16):

And sometimes bad experience.

Graham (14:17):

Oh yeah, yeah. Those are the ones that shape things, right?

CJ (14:19):

Yeah. We've been there and this is why we're so passionate about this topic is because of the amount of time we've all spent in IT and we've all got it wrong at some point and we don't want to be back there again.

Graham (14:31):

So it's marginal gain. It's like just improving it slightly time and time... How many times when you're doing those backup tests, do you get issues? So is it rarely or do you see it more and more? I mean, what are you seeing?

CJ (14:42):

So again, I mean, because of the experience we've had in this kind of thing, we tend to get this quite good now. Now, I'm not saying there are never issues but we write processes, we come up with policies, how we're going to do it, we know how to do it, and again, it's just getting that human element into it and making sure that this becomes commonplace, it becomes normal. This isn't a rare occurrence of testing a backup, this is normal, is what we do.

Graham (15:05):

So the security threat landscape is evolving but what are the stable constants in your industry? What are the things that people still need to look in and look at time and time again?

CJ (15:18):

So there are three main attributes about security. Let's go back to basics just for a moment. So when you're looking at security of data, you're looking at confidentiality, integrity, and availability. These are the three important factors. So confidentiality, is my data and certainly my secret data, is that only held by me or can other people get it? Integrity, is the data I've got still the same data? Has somebody been in and changed it? People think, "Well, that wouldn't be so bad," but if somebody took zero off of your bank balance, that's a really important thing. And then, you've got availability and this tends to tie into things like DDoS's or somebody trying to just block your access to X, Y, Z resource. Those are three things you need to stay on top of and there are various different methods and technologies and approaches you can use to protect those three things. Each of those three things will have different levels of importance depending on what services you are providing.

Graham (16:12):

I think, for me, the common factor I can see changing over time is the human factor. So you can implement untold technical safeguards and solutions, you know can have a billion firewalls, segregated data, all air gapped. The big factor that you need to account for is the human factor and whether that's things like social engineering, whether it's guarding against human error. We will always be as squishy meat puppets, be the weakest point within any solution.

CJ (16:50):

Totally agree and just on the same note, it's certain when we get into some of the exercises, people in security teams do. One of the very common ones is you just drop a bunch of USB keys and in the carpark and you just wait for somebody to plug one of those in and these can be rigged so that they will ping back home and let you know that somebody's plugged them in and invariably it happens. Somebody picks up a USB key and they're like, "I'll go and plug this in," and the only way you can get around that is to make sure people are educated and make sure people stay on top of these topics, they're aware of it, they're aware of who to talk to when they've got a question.

(17:19):

It's also, for me, really, really important that we allow people to feel that they can report issues with security without feeling they're to blame and getting rid of that blame culture is so big because everybody still feels like if I go and say, "I've done this. I've clicked on this link. Everybody's going to think I'm a fool. Everybody's going to think I'm a moron. I'll just keep quiet and hope nothing happens." Whereas if you can get into a culture whereby people go like, "I've clicked on it. That was a bit of a silly thing to do but I know I need to report it." It just makes security... For people who work in security, it makes their lives so much simpler. You're not having to chase things down. You're not having to try and work out what the root cause of something is. You already know what it is.

Graham (17:57):

Yeah. And does that come back down to what we were talking earlier about that scenario planning? So when you're in a room, would you potentially say, "Right. Okay. This could be something that you might receive," and is that all about education and standards and just sharing that?

Dan (18:10):

Education hugely.

Graham (18:12):

Yeah.

Dan (18:12):

So when I worked within the education sector, making sure that staff understood that security and IT to that extent. Yeah. It's not some kind of ivory tower somewhere where we all speak our special little technical language which is full of acronyms and don't come knocking on our door and it's about being open to those conversations.

(18:34):

The point that CJ made there about it's okay for people to make mistakes and okay to fess up and don't worry about it. You might feel silly but other people aren't going to consider you silly. They're going to consider you more trustworthy and honorable if you actually fess up to those things but it's about the broader business.

(18:53):

So you're moving on from the internal rehearsal IT playbook and planning that we do, move out to the rest of the business where they are not security experts, they're not IT experts. So removing those barriers to engagement, I think, is really important.

Graham (19:09):

So reducing that intimidation because some people-

Dan (19:11):

Yeah. Yeah. Some people-

Graham (19:12):

See IT as being quite intimidating, don't they? "Oh my god. I've done something. Oh, I'm not going to tell IT because they're going to shout at me," sort of thing.

Dan (19:17):

Yeah. Yeah.

Graham (19:17):

So reducing that.

Dan (19:19):

Yeah. And I think going back to your question about what's the common factor and this may be a bit of a cop out, right? But the common factor for me 20 years on is change. It's the reason I still get out of bed in the morning and come in at ridiculous o' clock is because things are constantly changing. For us within the industry, it keeps things exciting.

Graham (19:39):

Yeah. Well, that leads me onto my next question. So what's the most effective technologies around security right now? How's that evolving? CJ, what are you seeing?

CJ (19:47):

So I've used the phrase many times before but it's the old unstoppable force meets and moveable objects, okay? So we're constantly battling. We've got the good guys, we've got bad guys, and technologies are changing on both sides of the fence all the time and people are coming up with solutions to combat X, Y, Z threat. But really, technology's got so good now that you get a competent person to put your technical stuff in place, it's going to be pretty good and probably good enough. We then need to move into the human element and that's where, again, we're talking about education, we're talking about skills and experience, we've got people who are aware of how to get the right process and documentation written up and so forth.

(20:25):

So really great example. We here at Fasthost, we're ISO 27001 certified, that's the defacto standard for security and a lot of that doesn't actually cover technologies. It doesn't say, "You must have this type of firewall. You must have this type of other network appliance. You must do..." It's about, "Do you have the right ethos? Do you have the-"

Graham (20:43):

And procedure. Yeah.

CJ (20:44):

"And procedure and policies written down? Can you show me evidence that you are doing all of the good things and your people are invested into it?" and that's where I think, certainly from us, that's where the skills and experience really come in because we've been in this long enough, we live and breathe this kind of stuff, and it's so familiar to us that it becomes second nature. So it's really then also really easy to call out bad practices when they're being put in place.

Graham (21:09):

Gary, what are you seeing in that evolution of technologies?

Gary (21:12):

Yeah. I think there is a change in the industry where we're starting to realize that this isn't a finite task. So much like monitoring solutions, security isn't something you just install once and then let it do its thing. It's an evolving thing. It's a day to day, as CJ said, living and breathing security and it's how you embed those practices and thoughts into a business beyond the computers itself. IT security as operations is a phrase. It's often, I think, overused as a selling point when actually, that's a principle that goes beyond technology and the big thing for me that CJ mentioned was removing that blame culture.

(22:05):

I heard a really scary stat that of organizations that had been compromised, when forensics were conducted, it was found that I think the average point between a system becoming compromised to a payload being delivered, i.e., actually being noticeable was nine months. And so, that kind of thing is made possible by people making a mistake and then feeling that if they admit to that mistake or raise it, they're going to get hauled over the coals.

(22:38):

I've seen in other organizations exercises like a phishing rehearsal where it's almost become a punitive thing. So if you click on the bad link, that instantly means that you failed and it could mean that the content that made you click on that link was really, really good. And so, whilst you didn't fail, it was just that the method to make you click that link was really, really good and I think we need to strengthen that shift to enabling people to speak up and have that baked in so that it's the instant reaction.

Graham (23:13):

I guess it's what new IT people love though. If somebody actually picks up a phone and says, "Look, I've clicked on this and I think I shouldn't have done and I did it five minutes ago." You're right on it, I guess. Dan, I mean, is that something that everybody sort of, "Give it to me as early as possible," I think is what you're saying, isn't it?

Dan (23:28):

Oh, always.

Graham (23:28):

Yeah.

Dan (23:29):

Yeah. Yeah. I think-

Graham (23:30):

Tell me the bad news on that.

Dan (23:31):

Yeah, yeah. Tell me the bad news first. Because it allows you to put your mitigations in sooner, it allows you to stop exfiltration sooner. Yeah, definitely. So I'm just going to go back to the point that Gary was making there about embedding practices. This is quotes. I won't do the voice. It's a Margaret Thatcher quote which is, "Watch your actions for they become habits. Watch your habits for they become your character," and I think that's... For those of us, within the IT and the security industry, we want to leech those kind of approaches out so that they're common practice within the wider business, really. Going back to your question about what's coming up next, I've recently completed some studies looking at network security and artificial intelligence. So I'm not going to mention ChatGPT. Oops, there I go. I just did. But I think there's some really interesting developments in terms of where AI can support security coming-

Graham (24:28):

Yeah. Interesting.

Dan (24:29):

As well.

Graham (24:29):

I mean, that may even be a title for another podcast, I guess.

Outro (24:34):

Thank you for listening. We hope you enjoyed this episode. You can subscribe on Spotify or Apple Podcast or visit proactive.fasthosts.co.uk for more info. See you next time.