Cyber attacks are headline news everywhere we look, highlighting companies that have been brought to their knees by such assaults, while independent organisations like the World Economic Forum and Lloyds are publishing business risk registers where Cyber Risk is now in the top 10 (Lloyds Risk Register has it at number 3).
It’s this type of daily bombardment that is putting Cyber top of mind. This is a good thing. Because, if that gets the attention of businesses and has them rushing to respond, then at least those horror stories are serving a useful purpose. But sometimes it’s hard to respond to requests from the board to demonstrate the value that IT brings or to articulate your organisation’s Cyber Risk posture in the language that business understands. At the same time, loading up your systems with technology that’s designed to keep the cyber criminals out is not the solution. Nor is the assumption that IT can keep your business safe the best way forward. Because, no matter what solutions you opt for, it will never be enough: a determined hacker will breach your defences in the end.
That is why ‘Staying Safe’ demands a whole new way of thinking. Which brings us back to cyber itself. In the IT world, cyber is frequently scorned. Many of us in the IT industry believe this is nothing new. IT & Security have been protecting information for years and this is just another evolution. We have mobile, we have cloud – now we have cyber!
Yes, it is indeed an evolution, but there’s one significant difference: cyber is a business, not an IT, term – it’s the first time ever that the business is talking about IT and security in one breath. And that is an important step forward, because cyber is a catalyst for senior IT leadership teams to transform the role that IT and security play within the business. Once this is recognised and acknowledged, IT can move to become a trusted ally, rather than a tactical resource that is seen as a cost centre. Many organisations have already started this transformation – a transformation that Symantec readily supports through
All of which presents the perfect opportunity to take Cyber Risk and use it to break through the glass barrier that seems to exist between IT & the business. First, let’s consider in more depth what ‘Cyber ‘means to IT Security in a rapidly changing landscape:
- More and more machines and devices are connected than ever (hyperconnectivity)
- Employees have multiple devices, while operations technology is coming under the fold of the IT infrastructure (robots, manufacturing, medical devices etc.)
- There is an increased dependency on connected services and information exchange, (i.e., Online & On-Demand Web and Cloud Services).
Combine this with rapid evolution in IT, such as increasing mobility, virtualisation and on demand services, and we can see why there is a growing adoption of unsanctioned IT. Many of these new technologies mean that information is no longer held within the boundaries of the organisation’s traditional security controls. A recent study by Symantec (‘State of Information& State of Mobility’) showed that 50% of access to information was outside of the organisation (remote) and 24% of information was stored on mobile devices, 23% in external cloud providers and third parties, with 54% still stored within the organisation.
Now combine all this innovation with the good old-fashioned threat landscape and we can quickly see that Cyber criminals haven’t stood still either. They are targeting the very IT trends that the business is using to innovate against us.
We’ve seen a massive increase in Web attacks and attacks targeting the mobile workforce – 61% of web sites serving up malware are legitimate sites that were compromised, according to Symantec’s Internet Security Threat Report 2013 (ISTR). We’ve also seen a 42% increase in targeted attacks, with the fastest-growing sector under assault being the small & medium business sector. In other words, cyber criminals are targeting the soft underbelly of the supply chain.
How well have businesses reacted to the threats? Not that well, it would seem. In 2013, Deloitte released a global Telco, media & technology security study, in which 78% of IT leaders cited the increasing number of third parties as one of their top vulnerabilities – despite that, only 31% had engaged with their supply chain around cyber awareness. Moreover, the Ponemon Institute’s cost of a data breach report, released in conjunction with Symantec in 2013, showed that such costs rose 14% when a third party was involved.
So, what’s to be done? First, we have to admit that incidents will happen. With some 60% of organisations suffering more than 25 incidents a month, it doesn’t matter how much we spend or what controls we put in place. The question, therefore, is not whether you will come under attack, but when. So, while prevention is important, it will not save you. What organisations must have in place is a cyber strategy that presents a united business and IT front to ensure rapid detection of an attack when it occurs and equally rapid response.
How do you get that right? By understanding the four stages to cyber security – Prepare, Prevent (Protect), Detect/Respond & Recover. The more that preparation is carried out upfront, the more flexibility the decision maker has to respond when a threat happens. A carefully constructed response plan will streamline activities and greatly reduce mitigation times. Also, we really only get to fully understand the detail of the incident the more we see it in action, as well as when we move around systems, cleaning and removing the threat. Fast tracking this by learning from someone else’s experience (External Threat Intelligence) makes this much easier.
In my next blog, I will look in some detail at Rapid Detection and Response, and the roles that products, policy and process play in this.