When Chris Blunt and I started Axenic back in 2009, John Key was Prime Minister, Barack Obama had just become President of the USA and told Benjamin Netanyahu that he should freeze settlement construction in Gaza to enable movement towards a two-state solution, and a Royal Commission recommended that the 8 Auckland region local government bodies merge to form a “supercity”.
The Early Days: A Look Back at 2009
About that time, Snapper cards were just getting off to a lumpy start, the government was redirecting education funding from night classes to private secondary schools, and a revolutionary new search engine called Wolfram Alpha was announced that would change how we surf the web. The NZISM was (possibly) a sparkle in the eye of GCSB and wouldn’t see the light of day for 2 more years, and when it did was difficult to locate and only available in PDF format, 297 pages and 1.3Mbytes in size.
The Journey Begins
And 15 years ago we started Axenic and our journey helping clients understand the real risks of their use of information technology. We introduced the new (to many) idea that security was not just about the technology, but it needed to be backed up with skilled people to operate and manage it, and good quality processes to ensure consistency of those functions over time. There were numerous debates about why data integrity and availability were important as well as its confidentiality.
Foundational Concepts in Cybersecurity
We talked about the need to patch applications and systems and maintain them, to ensure systems are securely configured, to reduce the number of people with administrative privileges and to make sure all users had good quality passwords and understood their part in securing the organisation. We talked about backups and testing the restoration of data, and also about disaster recovery, and a large number of other important concepts.
Embracing International Standards
Most of all we tried to ensure that our advice was based on recognised international standards, and not on our own ideas of ‘best practice’. We used ISO 27001, 27002 and ISO 31000 as starting points, while referencing NIST and other well-developed frameworks where appropriate.
Evolution of Cybersecurity Practices
Over time we have seen many organisations take this approach more seriously. Official guidance, such as the NZISM, recommend a risk-based approach to infosec, and refer to numerous external standards for reference, although some of those key messages get lost in the voluminous detailed guidance.
Continuing Challenges in Cybersecurity
In 2009 one of the first Verizon DBIR reports identified 79% of investigated breaches as arising externally, and focusing on financial gain for the attacker. Many of those attacks originated from organized crime based in Eastern Europe. Last year the latest report found that number had increased to 83%, and still focused on financial gain (96% of breaches) driven by organized crime. Use of stolen credentials, Denial of Service (DoS) and Ransomware are now the major issues.
The Consistency of Security Strategies
Many of the recommendations in the 2009 report were similar to those that we were making at the time. Since then the ASD in Australia has published its ‘Essential Eight’ mitigation strategies that are closely aligned with the advice we have been giving for many years. Patching systems and applications, strong user authentication, restricted administrative privileges, hardening and backups. While the threats, technologies and attacker capabilities have expanded radically over the last 15 years, the key strategies for protecting information have not.
Plus ça change
And Israel still bumps heads with Palestinians in Gaza and we are having another conversation about a ‘super-city’ in Wellington. Google remains the main search engine we use (Wolfram Alpha still exists but pretty niche), the Government is changing financing of services for the public with more public/private partnerships on the horizon, and we may in future have one transport card for the country, which is unlikely to be Snapper. The NZISM continues to grow, now at version 3.7, with 444 pages, 4 more sections and is available online. And Axenic is itself now ISO 27001 certified and continues to provide timely risk-based advice to its clients with its great team of skilled consultants and leadership through cost-saving automation through its Archer-based platform.
**Plus ça change, plus c’est la même chose.**