Rethinking Cybersecurity in the Age of the Hacker

Uploaded on 2015-06-08 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Law

Untitled-11-700x357.jpg

Fear is an important factor driving many organisations to increase their IT security spending, with a Gartner study predicting global expenditure will rise by 8.5 per cent, to $US77 billion ($97.52 billion) in 2015.  But if even the best-resourced companies are losing the cyber-security battle, what hope is there for the rest of us?

Public awareness of cyber-security threats is escalating as the list of high-profile companies hit by big security breaches around the globe continues to mount. With Sony, JPMorgan, Apple, eBay and Target Corporation powerless to keep cyber predators at bay despite their deep pockets, it's not surprising that cyber security has shot quickly to one of the top three risks keeping boards and executives awake at night, as shown by recent research we conducted at Protiviti.

Throwing money at a problem will not fix it if companies are spending on the wrong things. And the mistake many are making is that they are sinking vast sums into traditional perimeter defences, such as firewalls and antivirus software, then lulling themselves into believing the job is done. But complete perimeter lockdown is basically impossible, particularly when clever and determined hackers have you in their crosshairs.

The United States Federal Bureau of Investigation director Robert Mueller said once: "There are only two types of company, those that have been hacked and those that will be."  It's also true that cyber criminals will always have the upper hand, because it's much cheaper to hack than to defend against a hacking attack. 

For organisations to make headway in this unequal contest they need to dramatically rethink their approach to cyber security by embracing the uncomfortable truth that no organisation is safe and that breaches are inevitable. 
Importantly, companies need to recognise that their historic focus on perimeter security has only limited value. What matters is not how deep the moat is, but the agility of your strategies to limit potential damage once an attacker has already breached the fort. 
Yet, Protiviti research shows more than 70 per cent of organisations have not implemented the types of tools that are needed crucially within the perimeter. These can include a range of technologies to impede or stall a hacker's progress, including encryption, effective access controls and intelligent monitoring techniques to highlight abnormal behaviour that can identify hackers at work "on the inside".  
Companies can't protect everything, and a technology solution alone is never going to be enough. That's why a more effective approach to cyber-security requires taking an individualised, risk-based approach.  
Thinking about what data the company holds and deciding what's important enough to warrant differentiated levels of protection is a critical part of the process. This needn't be a daunting task, because most organisations have a relatively small number of assets in the "crown jewels" category.
These are assets that simply cannot afford to be lost, such as customer financial data or health records, and/or systems where an outage would be so commercially damaging as to be intolerable. 
An understanding of your information assets enables you to allocate security resources to the data that matters most and thereby protect your organisation in a more intelligent and cost-effective way. 
Fundamentally, taking a risk-based approach to cyber security is similar to how we normally think about protecting our homes. We might lock the doors and windows and install a burglar alarm but we accept that all this provides is a basic level of protection that might not be enough to keep out a tenacious intruder. 
So we take out insurance to cover the risk that we might be broken into from time to time. We might even take additional measures to secure a handful of irreplaceable or sentimental valuables, such as cloud back-up of family photos or putting heirloom jewelry in a robust safe. 
These types of targeted measures are practical and affordable. And they are proportionate to the risks we are prepared to take on different items. 
It's a simple but fitting analogy that reflects exactly the mindset we should be applying to cyber security. Sadly, far too many organisations continue to throw money at the problem, believing it's possible to lock down the perimeter and keep attackers out. 
AFR: http://bit.ly/1JDFyKG

« Nasdaq Bets on Bitcoin's Future
Pentagon To Relaunch $475 Million Cyber Effort »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

CloudInsure

CloudInsure

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Estio Training

Estio Training

Estio Training is a specialist digital and IT apprenticeships provider, dedicated to introducing new skills and developing existing talent in businesses across the UK.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries is America’s largest military shipbuilding company and a provider of professional services to partners in government and industry.

IoTeX

IoTeX

Building the connected world. IoTeX is a fast, secure, and decentralized platform that connects real world devices/data to the blockchain.

SolCyber

SolCyber

SolCyber, a Forgepoint company, is the first modern MSSP to deliver a curated stack of enterprise strength security tools and services that are accessible and affordable for any organization.

VP Techno Labs

VP Techno Labs

VP Techno Labs is an award-winning cybersecurity firm focusing only cybersecurity to develop cutting edge solutions for emerging business.

Coffee Cup Solutions

Coffee Cup Solutions

We offer a full spectrum of IT Services, from our UK based Helpdesk to IT Consultancy and Cyber Security. Our team has the skills and experience to develop, deliver and manage IT for your business.

Infima Cybersecurity

Infima Cybersecurity

INFIMA tackle the hard parts of managing your Security Awareness Training program so you can focus elsewhere.

Hack-X Security

Hack-X Security

Hack-X Security provide IT risk assessment and Digital Security Services. We are a trusted standard for businesses that must protect their data from cyber-attacks.