With 2014 creating so many security headlines, the prospect of a breach is now a ‘when’ not an ‘if’.
The problem remains that risk is usually only managed at board level once a major attack has taken place, which besides being by far the most expensive way to resolve such problems, is neither logical nor sustainable. When the US retailer Target was hit by a data breach in September 2013, its profits fell by 46 per cent and the cost of dealing with the crisis were estimated to be $61 million.
If breaches are going to continue to happen, then cyber crime must be tackled from the top down in a proactive and strategic way in order to prevent such crippling financial and reputational damage from occurring on a regular basis.
So why are businesses still failing to implement efficient, functional IT security strategies? The issue is multifaceted, but there are several obvious barriers to the prevention of both targeted and opportunistic attacks. Overall, there is a need for a significant shift in business culture from regarding IT security as something ‘best left to the experts’ to something that permeates the heart of a company’s culture, including its policy and its people.
People
Effective IT security depends much less on technology than most managers might think – while investment in the right software is important, a lack of ownership over the potential for human error means companies are setting themselves up for eventual failure.
“Having a secure network, though essential, is only part of an organisation’s ability to operate an effective IT security process,” said Terry Greer-King, Director, Cyber Security, Cisco UK. “After all, any cyber attack is born from a weak link in the security chain. These ‘weak links’ can manifest in various forms, ranging from an employee’s benign ignorance of company IT policy to full-blown ‘social engineering’ of employees by malicious outsiders.”
Many of the measures employed by well-meaning managers run counter to the way ordinary human beings actually think and behave. Ted Julian, chief marketing officer of Co3 Systems, said: “When people act inappropriately, most organisations coordinate their response the same way they have for the last fifteen years: email, spreadsheets and ticketing systems.
“The proliferation of data, increasingly sophisticated attacks and mounting regulatory requirements have rendered these manual approaches completely ineffective. Important actions fall through the cracks and subject organisations to unnecessary risk.”
The unfortunate truth is that technology simply cannot protect companies against these very human problems, and out of date ways of dealing with transgressions within organisations are no longer working.
David Emm, principal security researcher at Kaspersky Lab, believes that the first step in the right direction is to work with human nature rather than against it, and “demystify security issues”. He said that the best method is to explain issues to staff in an “easy to understand” manner which should include varied forms of communication as well as including the usual catalogue of do’s and don’ts for staff to follow.
Although while humans can be an organisations’ weakest link, they can also provide a way to solve the problems they create through the analysis of available data. Uri Rivner, VP business development and cyber strategy at BioCatch, said: “Creating a baseline of a user activity, their interaction
s, habits, choices and behaviour, is now achievable.
“Intruder detection, once in the realm of network and content analysis, will become a human analysis task instead. New technologies based on Big Data analytics and behind-the-scenes cognitive biometrics are paving the path to a new defence doctrine that will detect human actions, locate anomalies and analyse their risk in real-time.”
Policy and strategy
Many companies purport to have taken all necessary measures to prevent a breach, when in fact most of them have simply bought expensive new software without taking a strategic, nuanced approach to protecting themselves.
Kurt Glazemakers, senior vice president of product strategy at Cryptzone, said: “For organisations to operationalise IT security requires a complete rethink to the way data and networks are secured, what we call a ‘zero-trust’ security model.
“While that might seem drastic, it doesn’t mean everything has to change; just the way we think about, and apply security in the enterprise. A zero-trust security model will naturally move organisations away from securing things, like networks and devices, to looking at context in order to secure the actions of users.”
Mark Steel is CEO of Cyber Security Expo