Rethinking cyber security in the age of the hacker
Fear is an important factor driving many organisations to increase their IT security spending, with a Gartner study predicting global expenditure will rise by 8.5 %, to $US77 billion ($97.52 billion) in 2015. But if even the best-resourced companies are losing the cyber-security battle, what hope is there for the rest of us?
Public awareness of cyber-security threats is escalating as the list of high-profile companies hit by big security breaches around the globe continues to mount. With Sony, JPMorgan, Apple, eBay and Target Corporation powerless to keep cyber predators at bay despite their deep pockets, it’s not surprising that cyber security has shot quickly to one of the top three risks keeping boards and executives awake at night, as shown by recent research we conducted at Protiviti.
Throwing money at a problem will not fix it if companies are spending on the wrong things. And the mistake many are making is that they are sinking vast sums into traditional perimeter defences, such as firewalls and antivirus software, then lulling themselves into believing the job is done. But complete perimeter lockdown is basically impossible, particularly when clever and determined hackers have you in their crosshairs.
The United States Federal Bureau of Investigation director Robert Mueller said once: « There are only two types of company – those that have been hacked and those that will be. » It’s also true that cyber criminals will always have the upper hand, because it’s much cheaper to hack than to defend against a hacking attack.
For organisations to make headway in this unequal contest they need to dramatically rethink their approach to cyber security by embracing the uncomfortable truth that no organisation is safe and that breaches are inevitable.
Importantly, companies need to recognise that their historic focus on perimeter security has only limited value. What matters is not how deep the moat is, but the agility of your strategies to limit potential damage once an attacker has already breached the fort.
Yet, Protiviti research shows more than 70 per cent of organisations have not implemented the types of tools that are needed crucially within the perimeter. These can include a range of technologies to impede or stall a hacker’s progress, including encryption, effective access controls and intelligent monitoring techniques to highlight abnormal behaviour that can identify hackers at work « on the inside ».
Companies can’t protect everything, and a technology solution alone is never going to be enough. That’s why a more effective approach to cyber-security requires taking an individualised, risk-based approach.
Thinking about what data the company holds and deciding what’s important enough to warrant differentiated levels of protection is a critical part of the process. This needn’t be a daunting task, because most organisations have a relatively small number of assets in the « crown jewels » category.
These are assets that simply cannot afford to be lost, such as customer financial data or health records, and/or systems where an outage would be so commercially damaging as to be intolerable.
Blog anglais, Conseil de carrière, Cyber Crime, La cyber-sécurité