Rethinking Cybersecurity in the Age of the Hacker

Uploaded on 2015-06-08 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Law

Untitled-11-700x357.jpg

Fear is an important factor driving many organisations to increase their IT security spending, with a Gartner study predicting global expenditure will rise by 8.5 per cent, to $US77 billion ($97.52 billion) in 2015.  But if even the best-resourced companies are losing the cyber-security battle, what hope is there for the rest of us?

Public awareness of cyber-security threats is escalating as the list of high-profile companies hit by big security breaches around the globe continues to mount. With Sony, JPMorgan, Apple, eBay and Target Corporation powerless to keep cyber predators at bay despite their deep pockets, it's not surprising that cyber security has shot quickly to one of the top three risks keeping boards and executives awake at night, as shown by recent research we conducted at Protiviti.

Throwing money at a problem will not fix it if companies are spending on the wrong things. And the mistake many are making is that they are sinking vast sums into traditional perimeter defences, such as firewalls and antivirus software, then lulling themselves into believing the job is done. But complete perimeter lockdown is basically impossible, particularly when clever and determined hackers have you in their crosshairs.

The United States Federal Bureau of Investigation director Robert Mueller said once: "There are only two types of company, those that have been hacked and those that will be."  It's also true that cyber criminals will always have the upper hand, because it's much cheaper to hack than to defend against a hacking attack. 

For organisations to make headway in this unequal contest they need to dramatically rethink their approach to cyber security by embracing the uncomfortable truth that no organisation is safe and that breaches are inevitable. 
Importantly, companies need to recognise that their historic focus on perimeter security has only limited value. What matters is not how deep the moat is, but the agility of your strategies to limit potential damage once an attacker has already breached the fort. 
Yet, Protiviti research shows more than 70 per cent of organisations have not implemented the types of tools that are needed crucially within the perimeter. These can include a range of technologies to impede or stall a hacker's progress, including encryption, effective access controls and intelligent monitoring techniques to highlight abnormal behaviour that can identify hackers at work "on the inside".  
Companies can't protect everything, and a technology solution alone is never going to be enough. That's why a more effective approach to cyber-security requires taking an individualised, risk-based approach.  
Thinking about what data the company holds and deciding what's important enough to warrant differentiated levels of protection is a critical part of the process. This needn't be a daunting task, because most organisations have a relatively small number of assets in the "crown jewels" category.
These are assets that simply cannot afford to be lost, such as customer financial data or health records, and/or systems where an outage would be so commercially damaging as to be intolerable. 
An understanding of your information assets enables you to allocate security resources to the data that matters most and thereby protect your organisation in a more intelligent and cost-effective way. 
Fundamentally, taking a risk-based approach to cyber security is similar to how we normally think about protecting our homes. We might lock the doors and windows and install a burglar alarm but we accept that all this provides is a basic level of protection that might not be enough to keep out a tenacious intruder. 
So we take out insurance to cover the risk that we might be broken into from time to time. We might even take additional measures to secure a handful of irreplaceable or sentimental valuables, such as cloud back-up of family photos or putting heirloom jewelry in a robust safe. 
These types of targeted measures are practical and affordable. And they are proportionate to the risks we are prepared to take on different items. 
It's a simple but fitting analogy that reflects exactly the mindset we should be applying to cyber security. Sadly, far too many organisations continue to throw money at the problem, believing it's possible to lock down the perimeter and keep attackers out. 
AFR: http://bit.ly/1JDFyKG

« Nasdaq Bets on Bitcoin's Future
Pentagon To Relaunch $475 Million Cyber Effort »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Jumio

Jumio

Jumio’s end-to-end identity verification and authentication solutions fight fraud, maintain compliance and onboard good customers faster.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

CHEQ

CHEQ

CHEQ provides fully autonomous, preemptive technology for brand safety and ad-fraud prevention.

Scythe

Scythe

SCYTHE is a next generation red team platform for continuous and realistic enterprise risk assessments.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

DynTek

DynTek

DynTek delivers exceptional, cost-effective professional IT consulting services, end-to-end IT solutions and managed IT services.

Oleria Security

Oleria Security

Oleria is the only adaptive and autonomous security solution that helps organizations accelerate at the pace of change, trusting that data is protected.