Should CIOs take employees offline to improve security?

”Welcome to your first day at Insecure IT Solutions. Here’s your new office. It has three doors and five windows with no locks on any of them. We keep all the sensitive business information in this open filing cabinet in the middle of the room.

If you want to send a message to anyone in the building, just write it on a postcard, fold it into a paper aeroplane and throw it out of a window: it’ll get there eventually. Don’t worry about all the strange pipes leading off into the walls and ceiling. We’ve no idea what they’re for but it’s probably fine.

Oh, and you might find random strangers loitering around or sneaking in and looking at your work from time to time. As long as they do it quietly we ignore them. Any questions?

”Erm … what?”

Years of costly vulnerabilities and high-profile attacks have taught wary IT directors and managers to block all ports and services that aren’t routinely used for business communications. Doing things any other way smacks of naivety and a false sense of security, or someone whose plate-spinning skills would better suit a career in the circus.

In enterprises where security is taken seriously—which is most of them, since those that don’t are likely to be rapidly hacked into commercial oblivion—the precautionary principle holds sway. New staff may be set up with email, web, local file-sharing and messaging services, with all other ports and services locked or disabled.

But even those permitted services within the first 1024 ports range are potential malware transmission vectors. WannaCry spread through SMB—a service for file-sharing and printer access—while “web access” covers a multitude of services such as DNS and DHCP as well as HTTP(S), maybe FTP and NTP, and so on. Email is a major vector for spearphishing. Malicious code lurking in webpages is almost impossible to completely mitigate against, even with carefully locked-down browsers.

Still, the WannaCry experience was a wake-up call, right? At least now everything will be tightly locked-down, won’t it? Actually, no it won’t. According to recent research, there are still millions of devices with the same vulnerable ports open to the world. That’s not due to laziness but the sheer difficulty of ensuring that services work while keeping the ports they use secure.

What’s today’s stressed IT manager to do? Continue to block, patch and hope? That approach is getting harder to justify, given the rate at which new vulnerabilities appear. The problem is compounded by the fact that there are almost certainly existing vulnerabilities that we—excluding certain national security services—don’t know about.

Does it still make sense for all of an enterprise to be online? The answer boils down to a cost-benefit analysis:

• What’s the benefit of everyone being connected to the outside world?
• What’s the potential cost in terms of hacking, loss of commercial secrets and downtime?

Until recently the benefit outweighed the cost, but now it’s not so clear-cut, because some of the costs are hard to determine. For example, while researching an article on security a couple of years ago I spoke to the head of an APAC security firm who told me an enlightening anecdote.

He’d spoken to manufacturing firms who were amazed at how quickly Far East clones of their products were appearing on the market. “It takes just a few weeks for them to reverse-engineer what we sell and copy it!” they exclaimed. He pointed out that this wasn’t true. In fact, the cloners had simply hacked into the firms’ systems months earlier and stolen their designs, leaving no trace of their presence.

Maybe we’re reaching a point where we have to admit that the security war isn’t going to be won—ever. Maybe it makes more sense to simply leave the battlefield. Extending the precautionary principle further, it may be time to disconnect most internal systems from the outside world altogether. If this sounds restrictive and difficult, it probably is. But perhaps not when compared to losing swathes of company-wide productivity to hacking, phishing and ransomware attacks.

Too hard? If the Singapore government can manage it—a decision that now looks prescient—so too could other organisations. In fact Singapore’s not alone. Certain government departments already use closed systems, as do banks and other financial institutions. Specific devices may be connected to the outside world, but those devices are fully air-gapped from internal networks.

For some organisations, of course, connectivity is fundamental to business growth. There’s really no alternative to everyone being connected all the time. But in many other places of work, the assumption that every employee needs internet access should now be carefully questioned.

Only policy advice and board-level guidance will bring about a reduction in security risks. No matter what hardware and software is in use, it will never be entirely free from vulnerabilities. Changing policies from the top down to prevent unnecessary connections to the outside world could at least reduce the impact of those vulnerabilities.

The alternative is to keep on blocking, patching and hoping, in which case good luck keeping those plates spinning.