Human loopholes in our cybersecurity are worth a look
New Zealand can rightly be proud we have the world’s most engaging central bank Governor. Adrian Orr, head of the Reserve Bank, is fond of using esoteric analogues and mindaltering metaphors to illustrate the points he wants to get across.
In a world where central bank governors are meant to be boring individuals spouting endless streams of numbers, having a storyteller in the role is a refreshing change.
I was thinking of Orr the other day as I heard the news, screamed loud in the headlines, that the Reserve Bank had been “hacked”. Apparently, a file-sharing solution in use at the Reserve Bank (think a big organisation version of Dropbox, Google Files or Microsoft OneDrive) was accessed by someone without authorisation. At the time of writing, it has not been established who or how the breach occurred or what information was accessed.
And yet, I have since read the reckons of many an industry expert opining that this is likely the work of a foreign government or agency. It seems the Stasi is alive and kicking and fundamentally interested in New Zealand’s monetary policy. Or maybe it was the KGB. Or the Shining Path. Or someone. Who would have thought?
At the risk of sounding like one of these aforementioned experts, I need to disclose that for the past 15 years or so I have been an industry analyst in the technology space. I’ve worked with vendors and customers, and have helped organisations deploy solutions such as the one breached within the Reserve Bank. I’ve also done work with different organisations helping ensure the safety and security of data.
In pretty much every thought piece or advisory briefing I’ve written or read, I’ve said very clearly that security in the modern age is a shared responsibility. What this means in plain English is that technology vendors (the likes of Google, Microsoft and AWS) absolutely have an obligation to ensure the software and infrastructure they use is robust and fit for purpose. Anyone who doubts vendors’ ability to do this should try to get a tour of a data centre run by one of these vendors — they are more secure than a military facility with 24/7 security, massive investment in cybersecurity and total focus on robust protection of users’ data.
But all of that is for naught if the other side of the shared model is ignored. And this is where I’m reminded of another buddy of mine who is also fond of an analogy or two. Christian Reilly is a British-based technologist who cut his teeth building and maintaining the systems used as part of some of the biggest construction and engineering projects in the world — we’re talking massive airports, industrial facilities and the like.
What is the point of having a safe, locks on one’s doors and other safeguards if we fail to address the human factors which affect security?
And this is where I come back to the recent Reserve Bank “breach”. In due course we may well discover that the experts’ prognostications were correct and it was indeed some nefarious government which hacked its way into our systems.
But we might also discover that in fact it was something as simple as my old mate Reilly posted about and some low-level employee at the Reserve Bank inadvertently lost their laptop which wasn’t well protected or used the same password for Tinder as they use for their work access.
Or perhaps, as is often the case in work situations, in an effort to bypass what is seen as user-unfriendly security practices, someone wrote their access password on a Post-It Note and stuck it to the side of their monitor where it was seen by a visitor who was quite interested in monetary policy. Who knows?
One thing is for certain, of the dozens and dozens of large-scale cyber breaches I’ve looked at over the years, a huge majority have their origins in human errors. So while it is absolutely correct to investigate whether external parties were the cause of this latest breach, Orr’s team should also look long and hard inside. There’s no point locking the barn door after the horse has bolted . . .