Cybersecurity: is it really a question of when, not if?
Can you imagine your banker saying “it’s not a question of if I lose your money, but when will I lose your money”?
Last week I had a pleasure of speaking at the Financial Times Cybersecurity Summit in London about the origins of global cybercrime and the current challenges of the cybersecurity industry. The week before, I attended Gartner Security & Risk Management Summit, where Gartner’s security experts and industry analysts presented a lot of exciting talks and reports about the current state of cybersecurity in the world.
According to Gartner’s Top 10 Security Predictions 2016, through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. Meanwhile, many companies and organizations spend huge amounts fighting mysterious APTs and zero-days. To better understand the subject, let’s walk through some quick numbers and statistics about cybersecurity and cybercrime first.
Gartner says that worldwide cybersecurity spending will already reach $81.6 billion in 2016, raising to $170 billion by 2020. European Commission (EC) plans to invest $2 billion into European cybersecurity research, while Obama’s administration is seeking a further $19 billion funding for cybersecurity for 2017. Last, but not least, according to the Wall Street Journal, the total annual Venture Capital (VC) funding in cybersecurity increased by 76 percent to $3.34 billion in 2015. Now, let’s have a look at the statistic about global cybercrime.
According to PwC Global Economic Crime Survey 2016, cybercrime jumped to the second most reported crime. The Cost of Cyber Crime Study produced on a yearly basis by HP and Ponemon Institute states that companies experienced 99 successful attacks (intrusions) per year (a 46 percent increase in just four years) in 2015. As per Trend Micro’s report, ransomware has almost doubled in the first half of 2016 with a 172 percent growth in comparison to the past year – meanwhile even the US Police have paid ransom to get their data back from cybercriminals. Their colleagues from the City of London Police say banks are obscuring the true amount of money lost to cyber attacks, preferring to write off cyber incidents as losses. Finally, Cybersecurity Ventures predicts cybercrime will cost $6 trillion annually by 2021.
If we correlate the numbers from the two paragraphs above, we can definitely see that something is wrong here: we cannot continuously increase our cybersecurity budget and get instantly and more frequently hacked in parallel. I already mentioned in one of my previous articles the axiom saying that spending more doesn’t necessarily mean better, particularly in cybersecurity. It’s confirmed by PwC’s State of Cybercrime Survey: almost half (47 percent) of respondents said that adding new technologies is their main spending priority, higher than all other initiatives. While only 24 percent said that cybersecurity strategy redesign is a priority, and as low as 15 percent see a priority in cybersecurity knowledge sharing.
This means that companies spend their budgets on new technologies, before conducting holistic and comprehensive risk (re)assessment in order to understand which risks and threats they need to mitigate and in which priority. EY’s Global Information Security Survey 2015 reported similar findings: 69 percent of respondents say their information security budget needs to rise by up to 50 percent to protect the company. However, only 40 percent of the respondents hold an accurate inventory of their digital assets, and as few as 34 percent would rate their security monitoring as mature or very mature. How can we protect something we are not aware of?
I am confident you have heard a famous slogan “it’s not a question of if [you will be breached], but when [you will be breached]”? Can you imagine your banker saying “it’s not a question of if I will lose your money, but when will I lose your money”?
Even with today’s negative interest rates, it’s difficult to imagine this. Of course, nowadays, once any system or device goes live - it becomes a target for numerous competing groups of hackers, script-kiddies and hacktivists that use large botnets and automated systems to constantly explore, track, compromise and backdoor vulnerable systems. Also, especially at large companies, regular security incidents with no, or minor, impact on the whole organization - are unavoidable due to complexity of their infrastructures and the human factor. Nevertheless, there is a huge difference between being hacked or breached and experiencing a non-critical security incident.
A good example is last week Yahoo’s data breach that affected over 500 million of customers. Taking into consideration just how big, complicated and dynamic Yahoo’s technical infrastructure is, it’s impossible to guarantee that all their web applications and web services have no security vulnerabilities such as XSS, or even SQL injections or RCEs. However, assuming that Yahoo is a victim of an external web attack, why did the internal security mechanisms overlook the dumping of 500 million records without blocking the process and raising an alert? What about internal privilege and access segregation?
Robert Metcalf, director of cybersecurity, Financial Services, at PwC, comments: "Today, you need to actually assess if you have already been breached, and also focus your efforts and budget on building your detection and response preparation capabilities, so that when the attack happens, you are ready for it.”
Cybersecurity management is not a rocket science. Moreover, by following four simple steps of cybersecurity management lifecycle below you can avoid 90 percent of the incidents without spending a fortune on wrong or inappropriate solutions:
1) Comprehensive inventory of your digital assets
Make sure that you continuously monitor all your digital assets: data, users, software and hardware. In the era of cloud, BYOD, BYOA and outsourcing - it’s a challenging task, but without it you’d better not to spend on cybersecurity.
2) Holistic risk assessment and priority-based risk mitigation plan
Once you have a comprehensive inventory of your digital assets, you need to organize all relevant people from your organization and external experts to conduct holistic risk assessment. You need to identify and prioritize all risks applicable to your organization, your business processes and your people. Once identified, assign the right people to mitigate those risks, related threats and vulnerabilities within a clear timeline.
3) RFP, vendor evaluation and implementation
Keep in mind that a solution working perfectly at UBS or HSBC premises may fail at your organization. Not because the solution is bad, but just because it may be inappropriate for your business processes, company size, business culture or employees. Before signing a cybersecurity offer – follow a thorough RFP process.
4) Evaluation, review and continuous monitoring
Once deployed into production, make sure that a security solution meets the initial requirements in accordance to your risk mitigation plan. Implement continuous monitoring for your digital assets, emerging risks, threats and vulnerabilities; re-assess your risks when required.
Keep your cybersecurity clear and simple – and you will see that it’s actually a question of if, not when.