1st August 2019: We live in dangerous times. On one side, cyber criminals are queuing up to attack our systems. On the other, regulators are imposing huge fines for data breaches. What's a mainframer to do?
In a previous blog, I described the huge fines proposed by the UK Information Commissioner's Office ICO for GDPR infringements by two international companies. A few weeks before that, it was reported that a ransomware attack had cost a major company at least £45m in lost productivity and revenue global aluminium producer Norsk Hydro stood its ground and refused to pay.
I also wrote that some areas of IT including mainframe operations were in self-denial about data protection and the state of their security. This isn't the case for all, certainly, but it still adds up to a major problem.
In Greek mythology, Thetis tried to make her son Achilles immortal. Holding him by the left ankle, she dipped him in the River Styx, with the waters conferring invulnerability - but that pesky ankle stayed mortal. And you know which part of his body was later hit by an arrow, mortally wounding him. We still use "Achilles' heel" to refer to an unexpected weakness or vulnerability in an otherwise strong or powerful person or system. A vulnerability that eventually leads to a downfall.
It's not only me talking about complacency. A few weeks ago, some interesting research by Forrester Consulting popped into my inbox, courtesy of my friends at Key Resources Inc. The title said it all: Don't Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk.
The research covered 225 IT managers and security professionals in North America; all roles were 100% within IT, security or risk/governance/compliance.
Its starting point was that "companies must actively secure the mainframe to achieve overall security." The study, focusing on financial services, healthcare and insurance, showed a worrying lack of awareness around what people needed to do to secure all parts of their mainframe environment. The net result is putting data at risk. And lest we forget, serious breaches may end up costing Marriott around £100m and British Airways some £183m.
While a sensible 85% of companies believed that mainframe security was a top priority, only one-third "always or often" make mainframe decisions based on security. Perhaps the other two-thirds don't read the news?
Encouragingly, 95% of respondents said "the most concerning ramification of mainframe security is a breach of customer data." That's a relief. Then how come only one-third "always or often" make mainframe decisions based on security?
Indeed, as the report states, "Not only are companies not making decisions with the mainframe in mind, but they are not taking actionable steps to secure the mainframe" - they are not actively scanning for vulnerabilities. Scanning the OS for vulnerabilities was considered the least important factor "when managing your organization's mainframe security."
So what happens when there is an attack?
Two-thirds of respondents said that protecting their systems from so-called "zero-day attacks" exploiting software weaknesses or other vulnerabilities is the greatest mainframe security challenge they face. Moreover, the research found that two-thirds of companies struggled to identify vulnerabilities rapidly. 61% said it's difficult to find the right mainframe security staff. Indeed.
This may help to explain why virtually all the companies said they were using or plan to use third party mainframe security tech 96% "to fill critical skills gaps" or calling on additional outside resources to review their security and compliance 95%.
And that's the key. Even if you don't have them in-house, the people and resources are out there to help you check your defences, close any gaps, and help you build new and even stronger defences that can flex and adapt as the cyber threat landscape evolves - so you can better protect your systems of record, with all that precious data. From mainframe security assessments and penetration testing to a fully managed 'Security as a Service' approach, there are ways you can access the security engineering and threat prevention expertise required.
So what's your Achilles heel? My team could almost certainly identify and remedy it. And there may be quite a few. The important thing is, at what point do you take action: now, or after you've been breached and hit with a £100m fine? After all, if Thetis had done the job properly, holding each heel in turn and dipping Achilles twice, his story might have ended rather differently.
An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.
For more information email: firstname.lastname@example.org