Steve Benton, BT Deputy CISO, GM Cyber and Physical Security Operations and Programmes, tells us how the company operates with full control over its complex IT estates and explains how the major telecom provider functions in a way that aims to make cyberattacks worthless for those targeting the business.
Can you give an overview of your role at BT and the scope of your responsibility?
My job is to ensure that BT can detect, protect and recover from cyber and physical attacks in the UK and across the globe. This means looking after our people, data, infrastructure and buildings across both the real and virtual world.
Of course, this is an extremely difficult task. The scale and pace of threats are constantly growing, especially as criminals continue to realise the returns that can be made at relatively low risk. At the same time, we’ve seen nation state activities increase and expand, with huge effects, and more ‘traditional’ lone hacktivists are as busy as ever.
Ultimately, we’re in a constant race between cyberdefence and cyberattack, and to be successful in my role I have to make attacks against BT expensive, dangerous and worthless for our adversaries.
How does BT exercise cybersecurity to ensure it operates with a robust infrastructure?
BT is on the receiving end of an average of around 6,500 attacks every day, so we have to use all the tools at our disposal to protect our operations, people and customers.
We employ a proactive security strategy that holistically monitors and scans for any threats across our estate. As part of this, we enact multiple layers of protection to identify and stop attackers, and use AI and Machine Learning capabilities to hugely improve our ability to detect anomalies and predict threats, significantly reducing the time taken to respond to attacks.
We know, though, that there is no such thing as 100% security and that criminals will constantly invest and innovate to create new attacks. That’s why we run regular ‘black swan’ events to test our defences and see how they really stack up against a cyberattack. We also make use of our excellent Offensive Security team, who we give the remit and latitude to stress test all aspects of our security.
How would you suggest organisations can gain control of complex IT systems and ensure security is the responsibility of the business?
Visibility of your IT estate is absolutely key. Most organisations have grown organically over time, adopting a mix of systems from a range of vendors, which makes it hard to fully identify your vulnerabilities and risks. After all, if you don’t know what you have, how can you protect it?
This often becomes a critical issue when a significant security incident happens in the news, and ‘do we have one of those?’ becomes the most common refrain. Taking clear steps to assess your assets (not just the devices and systems, but also their patching status) and then putting in place clear protections based on this knowledge, is crucial for successful security.
We also recognise the importance of ensuring all of BT’s circa 100,000 employees understand the behaviours they need to adopt to protect BT, as you’re only ever as secure as your weakest link. That’s why we run a comprehensive programme to ensure they all have the tools and understandings that ensure they’re acting as securely as possible.
Can you highlight any recent examples of when you have overseen a technology implementation/worked with a vendor to enable an enhanced cybersecurity posture?
As COVID-19 hit last year, BT Security had to rapidly scale up its security capabilities around remote working. As part of this, we worked with CrowdStrike to employ enhanced Endpoint Detection and Response (EDR) across BT to help secure our devices, cloud systems and the network as a whole.
We didn’t expect to be able to deploy CrowdStrike’s technology at the scale and pace that we did during this period. We went from zero servers to tens of thousands covered in days and weeks, rather than the months expected, breaking all rollout records. We also worked closely with the CrowdStrike team to ensure secure connectivity out to the cloud was achieved without taking local resources like CPU cycles and bandwidth away from users.
More generally, we use CrowdStrike as a key part of our response and investigation into security incidents. The company helps to give us real-time intelligence and context of the threat environment and allow us to rapidly investigate breaches within the ‘golden’ first hour so that we can quickly stop and eject malicious attackers.
How do you ensure you protect your customers and avoid cyberattacks?
We apply the same security principles and protections to our customers as we do to protect ourselves, but our approach can essentially be broken down into two elements.
For all our customers, such as home broadband and mobile users, we very much aim to be the most intrinsically secure network they can choose, by ensuring that security sits at the heart of all our operating decisions and processes. We also provide a range of guidance around how they can stay safe online, for example with advice on how to identify and avoid scams.
Secondly, we also provide security solutions directly to private and public sector organisations via our BT Security unit. We work with a wide range of security partners to provide solutions that both protect their organisation from threats and enable them to securely adopt and reap the benefits of new technologies.
Has there been any change to how you manage security operations since the pandemic as more people work remotely?
The past year has really shown the importance of telecoms networks, as they’ve proved vital to enabling so many aspects of life in lockdown. Our network and systems coped really well with the increased demand – with daytime traffic on our core network more than doubling in 2020 – but this also means that securing those networks becomes more important than ever.
We employed a number of operational improvements, such as increased endpoint monitoring and heightened monitoring for any unusual system access, data extraction or unauthorised software. However, one of the most significant issues that we identified was that as well as the technological and logistical challenge, there was also a massive behavioural aspect.
The whole routine of going to work – getting dressed smartly, travelling to the office, using your passcard to enter, noting a CCTV camera and security guard – forms a mental process that subconsciously switches you into ‘work mode’ and puts your guard up. Contrast that to the daily reality of remote working…
We quickly published security guidance that looked at how these changes can make you drop the security best practices that you’d naturally employ in the office. This ranged from a reminder of actions you need to take to stay secure accessing data at home, through to fundamental behavioural stuff like asking people to just take a second to pause and take stock of their actions before continuing.
What do you predict the future will hold for BT and the cybersecurity challenges you might face as a business, as you continue your move to the cloud?
As more and more organisations make the move to the cloud, so too do the criminals looking to exploit them. The transition to the cloud erases traditional security perimeters and hugely increases organisations’ attack surface, meaning they need to move away from enacting certain security measures just because they’re expected, or they’ve done so in the past.
In the cloud, tech choices can’t be taken in isolation; it’s not just about solving one problem. The thought process needs to explore where this tech will fit into the whole — what it will connect to and how.
Strong cloud security comes from knowledge in three key areas: a sound understanding of how the cloud works; the applications a business wants to use; and the business’ plans for moving forward. Organisations that have knowledge about all three can build in effective security faster, more easily and at a lower cost.Click below to share this article