SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Firewalls
#
Ransomware
#
Network Security

Cyber security must focus on root causes, not just tools

Thu, 17th Apr 2025
Author image
By Shannon Williams, Journalist

Greg van der Gaast, a former hacker now known for his expertise in cybersecurity strategy and culture, has discussed the limitations of current security practices and the importance of addressing risks at their roots.

Reflecting on his background, van der Gaast explained that early experiences as a hacker ingrained in him a meticulous defensive mindset, developed during a time when computers were far more vulnerable. "It's interesting, because I think in one way it gave me an attention to detail—what to look for, what causes breaches. But, somewhat weirdly, I think what it influenced most was the defensive mindset."

He described the early days of direct internet connectivity without firewalls, stating, "Back then, you built a computer, you loaded your operating system, and then you went on Internet Relay Chat in a chat room full of hackers. We didn't have broadband, we didn't have home routers. Your computer was directly connected to the Internet."

He pointed to the lack of security infrastructure in those days, saying, "There were no firewalls yet. If you hadn't secured it—locked it down, tightened it, patched and updated everything—it only took about 30 seconds after joining that chat room for your hard drive to start making a lot of noise. Everything would start shutting down and you'd have to reinstall Windows from floppies."

That vulnerability influenced his outlook in business settings. Van der Gaast noted, "So, weirdly, that's probably what stuck with me the most—making absolutely sure that things are locked down properly. Later, when I entered the business and enterprise environments, the question became: how do you do that at scale? And then, of course, you find that actually running a business gets in the way."

He acknowledged a gap between technical best practice and practical business operation, commenting, "There was a bit of a gap there—but the core principles stuck, and I've kind of come full circle. Now, it's more about leadership and holistic approaches. It's about getting to the root causes, business processes, and company culture."

Addressing the issue of company culture in security, he emphasised, "And I don't mean just 'security awareness'—I mean real culture. That's what helps create a consistent level of assurance. It also enables efficiency and agility to support the business at a holistic level."

Asked about where he sees the real vulnerabilities in enterprise environments, van der Gaast observed that technology is often blamed for what are fundamentally human or process-related weaknesses. "Everyone says 'people.' I think people are the first link—but they're also your first line of defence."

He continued, "In a word, it's sloppiness. A lack of maturity, a lack of process, a lack of integration. Not having a holistic view of your environment. Your IT and security functions not understanding the business processes themselves, not knowing what there is to protect. Those are the real issues."

He gave an example of how attacks often exploited more than just one mistake. "You hear a lot of stories like, 'Dave from Marketing clicked an email and that's how everything went to hell.' But people forget to ask: okay, Dave clicked on the email—so the attacker had Dave's level of access on his laptop."

Van der Gaast highlighted the deeper failures, stating, "But how did they get admin access? Because you hadn't configured that laptop properly. How did they get through your VPN? How did they get through your firewall? Because you hadn't updated the firmware, you hadn't changed the default password. And how did they run through your data centre like wildfire? Because you had poor system administration techniques and a bunch of unpatched servers."

He remarked, "But let's just blame Dave from Marketing—instead of looking at the security and IT teams who didn't do their jobs. It has to be a holistic approach."

On the seriousness of cybersecurity efforts, van der Gaast offered a candid view, saying, "I don't think we take it seriously enough. And it's funny, because some things we take too seriously—like, I'm really not concerned about losing my credit card. I'll file a claim, I'll get my money back, I'll get a new card. It'll cost me five quid tops. Not a bother."

He contrasted this with more significant operational risks. "Other things, though—pretty significant. We're working in supply chain discovery and management, and if you're a big international business and your suppliers go offline—or your manufacturing production goes offline for three weeks or even three months—that's hugely significant."

He added, "Hospitals going offline, traffic management systems going offline—there are a lot of ways this can get ugly. And the number of ways this is possible is increasing very quickly."

Van der Gaast criticised the typical industry response, asserting, "The biggest issue isn't about pumping more money into security or buying more tools—which is what the security industry would love you to do. The whole approach is flawed."

He explained, "We're not fundamentally making things secure. We're trying to bolt on security at the end—in a way that will never be a correct fit and is simply too expensive to do completely." He warned, "And that's why, as we keep digitising everything and creating these smart, online systems, we're also creating new attack surfaces for people to exploit."

Van der Gaast emphasised the resource challenge for security teams. "We simply don't have the resource to constantly monitor this stuff 24/7, to try to detect and respond—which fails 90% of the time anyway. So, we need to start doing things right from the beginning."

Looking ahead, van der Gaast predicted that cyber threats are likely to become more severe. "We're already pretty far out there. Ransomware is hugely disruptive. More and more critical infrastructure is being hit. I think that's going to keep growing—keep scaling up."

He observed a lack of sufficient response to these developments, stating, "And we're still not taking the problem seriously. Usually, we just blame an intern and move on."

He commented on repeated breaches within certain companies, saying, "I think someone told me T-Mobile has been hacked six times in the last three years. That's probably a bad sign."

Van der Gaast summarised the outlook, "So, I think it's going to be more of the same—but more damaging. The scale of it will get worse and worse. Hopefully it doesn't escalate to warfare. That's a big scenario. It would be ideal if we didn't get to that—but it's on the table."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Organisations face risk with open-source AI & cloud use
Cobalt report reveals gaps in critical vulnerability fixes
Bots surpass humans in online traffic, Thales reports
AI-powered code checker launched to tackle security flaws
Kaspersky tops 2024 security tests with record 97% TOP3 rate
Top stories
Kaspersky reports record revenue, USD $822m in 2024
Kiteworks reveals the top data breaches of 2024 report
Hitachi Vantara unveils VSP One with AI ransomware defence
One in fourteen workers use China-based AI apps, study shows
Illumio unveils AI security graph for cloud threat response