Rethinking Cybersecurity in the Age of the Hacker

Uploaded on 2015-06-08 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Law

Untitled-11-700x357.jpg

Fear is an important factor driving many organisations to increase their IT security spending, with a Gartner study predicting global expenditure will rise by 8.5 per cent, to $US77 billion ($97.52 billion) in 2015.  But if even the best-resourced companies are losing the cyber-security battle, what hope is there for the rest of us?

Public awareness of cyber-security threats is escalating as the list of high-profile companies hit by big security breaches around the globe continues to mount. With Sony, JPMorgan, Apple, eBay and Target Corporation powerless to keep cyber predators at bay despite their deep pockets, it's not surprising that cyber security has shot quickly to one of the top three risks keeping boards and executives awake at night, as shown by recent research we conducted at Protiviti.

Throwing money at a problem will not fix it if companies are spending on the wrong things. And the mistake many are making is that they are sinking vast sums into traditional perimeter defences, such as firewalls and antivirus software, then lulling themselves into believing the job is done. But complete perimeter lockdown is basically impossible, particularly when clever and determined hackers have you in their crosshairs.

The United States Federal Bureau of Investigation director Robert Mueller said once: "There are only two types of company, those that have been hacked and those that will be."  It's also true that cyber criminals will always have the upper hand, because it's much cheaper to hack than to defend against a hacking attack. 

For organisations to make headway in this unequal contest they need to dramatically rethink their approach to cyber security by embracing the uncomfortable truth that no organisation is safe and that breaches are inevitable. 
Importantly, companies need to recognise that their historic focus on perimeter security has only limited value. What matters is not how deep the moat is, but the agility of your strategies to limit potential damage once an attacker has already breached the fort. 
Yet, Protiviti research shows more than 70 per cent of organisations have not implemented the types of tools that are needed crucially within the perimeter. These can include a range of technologies to impede or stall a hacker's progress, including encryption, effective access controls and intelligent monitoring techniques to highlight abnormal behaviour that can identify hackers at work "on the inside".  
Companies can't protect everything, and a technology solution alone is never going to be enough. That's why a more effective approach to cyber-security requires taking an individualised, risk-based approach.  
Thinking about what data the company holds and deciding what's important enough to warrant differentiated levels of protection is a critical part of the process. This needn't be a daunting task, because most organisations have a relatively small number of assets in the "crown jewels" category.
These are assets that simply cannot afford to be lost, such as customer financial data or health records, and/or systems where an outage would be so commercially damaging as to be intolerable. 
An understanding of your information assets enables you to allocate security resources to the data that matters most and thereby protect your organisation in a more intelligent and cost-effective way. 
Fundamentally, taking a risk-based approach to cyber security is similar to how we normally think about protecting our homes. We might lock the doors and windows and install a burglar alarm but we accept that all this provides is a basic level of protection that might not be enough to keep out a tenacious intruder. 
So we take out insurance to cover the risk that we might be broken into from time to time. We might even take additional measures to secure a handful of irreplaceable or sentimental valuables, such as cloud back-up of family photos or putting heirloom jewelry in a robust safe. 
These types of targeted measures are practical and affordable. And they are proportionate to the risks we are prepared to take on different items. 
It's a simple but fitting analogy that reflects exactly the mindset we should be applying to cyber security. Sadly, far too many organisations continue to throw money at the problem, believing it's possible to lock down the perimeter and keep attackers out. 
AFR: http://bit.ly/1JDFyKG

« Nasdaq Bets on Bitcoin's Future
Pentagon To Relaunch $475 Million Cyber Effort »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

SiteGuarding

SiteGuarding

SiteGuarding provide website security tools and services to protect your website against malware and hacker exploits.

Efecte

Efecte

Efecte is a Nordic SaaS company specialized in IT Service Management, Self-Service, Identity Management and Access Governance solutions.

BigID

BigID

BigID is redefining personal data protection and privacy. BigID software helps companies secure their customer data & satisfy privacy regulations like GDPR.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

Identifi Global Recruitment

Identifi Global Recruitment

Identifi Global is one of the UK's leading Cyber Security & IT Recruitment specialists.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

Founder Shield

Founder Shield

Founder Shield is a data driven insurance brokerage focused excusively on rapidly evolving high-growth companies.

Liongard

Liongard

Liongard automates the management and protection of modern IT environments at scale for IT MSPs - Managed Service Providers and Enterprise IT Operations.

Outseer

Outseer

Outseer is a leading technology company in the fight against payments fraud. Outseer reliably determines authentic customers from fraudulent behavior.

Dazz

Dazz

Dazz is the cloud security remediation platform for smart security and development teams.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

Strobes Security

Strobes Security

Strobes is among the world’s first cybersecurity platforms specifically designed for end-to-end continuous threat exposure management.

Interlock

Interlock

Interlock are building blockchain-based security products that solve legacy web2 security issues - phishing and social engineering.

Defend-OT

Defend-OT

Defend-OT is a Belgium-based cybersecurity firm specializing in OT environments.

BUI

BUI

BUI is a global technology consultancy and Cloud Solution Provider specialising in cloud, security, and networking solutions for mid-market and enterprise-level business across the world.