To mark the launch of “Open Source Intelligence Benchmark 2020” from Mazars, Netherlands, we spoke to its authors, Jan Matto and Randhir Sewnarain, about staying safe online, the information we unintentionally leave behind, and winning the attention of boards in order to make IT improvements.
Could you tell me about the report and its findings? Why did you publish it?
Jan Matto, partner, Mazars
We do a lot of cyber security work for our clients and many are unaware of how much information about them is freely available on the internet, waiting to be used by cybercriminals. What began as something we would offer for free to charities expanded into a service that shows businesses what is out there – sometimes including their security information and confidential documents. The report uses publicly available information to show the digital footprint that organisations leave behind and why it needs to be better covered.
Randhir Sewnarain, cybersecurity specialist, Mazars
As many organisations use third party service providers, control is lost over their data. The purpose of the report is to leave the reader asking, do I want that information to be publicly available? For example, we found passwords that are linked to people’s business accounts that can also be used to log into their social media. Similarly, when organisations develop software, they unknowingly allow the source code to be public, which someone could use to access the security settings and infrastructure. It’s understandable that teams outsource IT, but they should not outsource their security with it.
The report reveals many organisations are not safe online, why is that?
There are a couple of reasons. The first is that issues related to the public space of the internet often fall outside of typical processes, so they can be left with no one directly responsible for them. Secondly, when you outsource your internet operations to several providers, responsibility falls through the cracks. The lifecycle of an internet domain is typically longer than any single IT manager. If an internet domain is not managed and its existence is forgotten, data will not be adequately managed over the long term.
One of the biggest problems is budget – lots of IT managers may know about cybersecurity and digital footprint issues but they don’t have the resources to solve them. And that is linked to a lack of awareness – if business leaders don’t know or appreciate the risks then it’s hard to build the processes to deal with them. This is one of the main reasons we published the report – to raise awareness at all levels of an organisation.
What’s your advice for improving internet security?
Don’t rely on standard procedures and management processes but instead, audit the IT and determine what we call the ‘IT reality.’ An IT audit refers to: investigating your presence on the internet, undertaking penetration testing, looking at the web applications that could open you up to breaches, and testing the management processes in place. Most organisations will have to improve their current processes and make someone responsible for security.
What did the findings reveal about the Netherlands and how does it compare to other countries on cybersecurity?
The Netherlands is well-developed digitally, we are home to global IT infrastructure, which on one hand demonstrates our strengths in the field, but also makes us a target of cybercrime. At the government level, we have the right policies in place but many organisations here are still not doing enough to clean up their digital footprint.
Generally speaking, there is little differentiation between countries. Like many other countries, the government has played a role in legislating for stricter cybersecurity and certain sectors like banking and energy are taking it seriously. However, there is still a lot of work to be done by other sectors and their organisations.
Are there any countries that are world-class?
It’s less about one country beating another, and more about some national policies and standards being better formulated than others. In the US there are mandatory frameworks that specifically apply to certain sectors: PCI-DDS for the payment card industry or HIPAA (the Health Insurance Portability and Accountability Act) for health care organisations, for instance. This helps those sectors stay as secure as possible, and that approach is only just starting in Europe.
The European Union Agency for Cybersecurity (ENISA) publishes guidance and legislation on cyber security, which many organisations will find useful. There is also an initiative in Europe at the moment to clarify where sovereignty starts and begins when it comes to cloud storage, which could help organisations better understand how to manage their own systems.
What could leaders in other countries learn from this report?
When they see the risks, and how much information is available to the public, leaders will hopefully understand that they have to better manage and secure their online presence. You wouldn’t shout about your bank details on the street, so don’t do it online. As part of that, they have to manage their domains, digital footprints and the visibility of their organisation on the internet.
We visited all the clients we spoke to for the survey and we found their IT managers to be incredibly receptive, as this report won them the attention of their boards. It was a relief for them to have the evidence to back up what they had been warning them for years.
With the report findings, we provide insight into the data that clients and their third parties leave behind on the internet. While the data may seem harmless, it could, in fact, be used maliciously. We wanted to show where the vulnerabilities are but also that improvements are possible, so that organisations can better protect their IT and their people.
To read Open Source Intelligence Benchmark 2020, please go here.