Get real about cyber security, businesses warned
Businesses need to avoid getting caught in common traps and becoming vulnerable to attack, says a BT and KPMG report
Enterprises are sleepwalking into serious cyber-security issues, according to a report intended to provide a ‘practical guide’ to resolving the issue.
There are a series of common pitfalls that business tend to fall into, claims the document, created by experts at BT and KPMG.
One of the major pitfalls is that companies experience a ‘denial’ phase, where they believe that cybercrime affects only large companies and industries such as banking and finance, oil and gas, and retail. In reality, all firms face cyber attacks, which means any business is a potential target.
The report outlines the typical five stages of the cyber security journey to maturity, but also stresses that “Organisations who will be able to defend themselves more successfully during a significant attack will be those that treat cyber security as a journey and not a destination – it cannot be ‘fixed’. By focusing on innovation, they can maintain a sustainable risk position against the evolving threat landscape”.
The next stages are 'worry’, followed by ‘over confidence’, which leads to ‘hard lessons’ being learned, before achieving security leadership, according to the report, which also cautions against getting stuck in a particular phase.
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said: “Cybercrime is a [criminal] business, and thus follows the basic rules of business: spend less, get more. Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0days and complicated APT attacks. Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. Emerging risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards – cloudisation, outsourcing and IT externalization aggravate this complicated challenge.”
The report recommends getting the basics right too, starting with good housekeeping, and ensuring that firewalls, anti-virus, patching, password security and backups are up to scratch. Inventory your assets and focus on investing in protecting your most sensitive information, as well as exercising common sense, and starting to educate internally, running refresher training and mandatory training for all new joiners.
During the ‘worry’ stage many companies feel the requirement to get spending on their security, which can be an expensive and frustrating time, but the report highlights the need to invest in people rather than going all-out on tech. “People can be the weakest link in the security chain. But with a little work they can be your greatest asset.” The top three most important factors in cutting your security risks, according to the research, are: security governance processes, security technology, and sharing tools and knowledge with peers and partners.
The next stage, ‘over confidence’, kicks in after all the boxes have been ticked - “Your cyber dashboard is green, so what can go wrong? But when did you put in your policy? When did you last refresh it? Who have you shared it with? When did you last test it? Has it really stood the test of time?” Apparently 68 per cent of CEOs are entirely (or mostly) confident about how they can transform their business without compromising on security.
In essence, any company that believes it has all the basics covered should look again at its policies, question assumptions and investments, and ensure that all the risks are understood - there is no such thing as absolute security, says the report. It uses the following graph to illustrate cyber risk quantification:
There are three ‘zones’ you can end up in, the zone of routine, the zone of surprises and the zone of catastrophe. Most firms get used to the routine cyber attacks after a while – their controls deal with the attacks, their Security Operations Centre manages the incidents, and the executive finds out how often and how drastic the attacks are. However, as the likelihood of successful attacks drops, the cost of them actually increases...
“Technology is changing. The threats are changing. We have to cut through the jargon, and think about our roles differently. If we want to understand the risks we need to communicate better” concluded the report. So what stage is your business at?