By using our site you accept the terms of our cookie policy

Avoid lazy clichés if your business is serious about cyber security

By Robin Ferris, Solutions Architect, Pulsant

Image

The hooded hacker and his rapidly scrolling screen full of code has become a deceptive visual cliché in cyber crime.

The reality is that it takes time to find a way in to an organisation and exploit it. Hackers take pains to develop their anti-social skills and constantly adapt their tools and probe defences.

Alongside this cliché is the misconception that breaches are immediately detected.

Yet when Yahoo was subjected to a massive data theft it took three years to find the breach and disclose it, and four years to complete the actual investigation (which revealed that in fact three billion accounts were affected).[1]

This may be an extreme example but global research[2] published last year shows that on average it takes companies 191 days on to find a data breach.  That is a great deal of time in which malicious code can be active inside a system.


Avoid the common misconceptions

What are businesses to do when at all ends of the scale they face the daily onslaught of malware, phishing emails, viruses, ransomware, Trojans and state-sponsored advanced persistent threats (APTs)?

An extremely useful tip is not to fall for cyber security misconceptions such as believing hackers are teenage geniuses. Eighty per cent of attacks are perpetrated by hackers who use known vulnerabilities in company systems[3].

Protecting an organisation from cyber attacks could be as easy as ensuring patches are up to date and anti-virus software is current.  However, the remaining 20% of attacks emanate from better-resourced organised crime or state-sponsored groups. These are the more skilled hackers who will target internet-connected and mobile devices and the infrastructure of cloud technology.

As cyber threats multiply and become more advanced, corporate IT security budgets are likely to carry on increasing. The Global Cyber Security Market accounted for $95.15 billion in 2017 and is expected to reach $365.26 billion by 2026.[4]

Yet no matter how much a company spends on IT security, the sheer variety of cyber threats, the likelihood of computer failure and human error, mean breaches in cyber security are almost inevitable. The threats can seem overwhelming, even for businesses with large IT departments. But with planning, clear thinking and the right technology, all businesses can improve their IT security.


The journey to effective cyber security

The journey to hardened and effective cyber security starts with a thorough review of IT systems and vulnerabilities that hackers, or a rogue employee could exploit. It could be an unpatched operating system, or a worker’s smartphone containing sensitive commercial data. The review should cover all hardware, software, the supply chain and suppliers.

The next step is to work out the seriousness of the threats. A business may function well enough if its work email system went down. But if a payment system or customer relationship management (CRM) system is knocked out of action for a few days, there could be serious problems right across the business.


Knowing your cyber weaknesses is a source of strength. Once it is understood where the areas of greatest danger are, dealing with threats becomes more straightforward. It is possible to prioritise actions and set a budget. The risks can be sorted into the three categories of technology, people and processes.


The scale of cyber security policies will vary along with the budgets assigned to them, but the aims will always be similar. These are to stop the attack where possible, identify the threat quickly and mitigate the risk.


Identifying the internal obstacles

Understanding the obstacles that stand in the way of better cyber security definitely saves time and money. One of the main inhibitors in many businesses is an internal lack of knowledge about new cyber threats and the technology and procedures necessary to mitigate them.


To be effective, cyber security requires an organisation-wide commitment and should be driven from the top down. Management support is crucial in cyber security, from allocating budget and resources, to recruiting staff.


Yet although everyone must address cyber security and take responsibility for it, the reality is that there is only so much that can be achieved without specialist help and expertise. IT departments are hard-pressed and senior executives lack either time or in-depth knowledge. That is why many choose to work alongside a trusted security partner.



Security against future threats

The pace of change can be rapid in the cyber sphere and predicting the next set of threats to cause most damage over the next couple of years is not an exact science.


We know though, that hackers usually follow the money or go for the most sensitive data an organisation possesses. And in IT, a lot of this is going into the cloud. It seems inevitable that all the devices that connect a business to its cloud infrastructure will come under attack from. By 2020, there will be 20.4 billion things connected to the internet[5] research company Gartner has predicted. Each device is a possible way into an organisation for hackers.


The scale of risk has been recognised at the highest levels. The World Economic Forum[6], for example, now believes cyber attacks are one of the biggest risks facing the world in the next 10 years. As these threats multiply and become more advanced, corporate IT security budgets are likely to carry on increasing.


What is certain is that the emergence of technologies like AI and machine learning will undoubtedly change the landscape in new and unpredictable ways, which needs to be borne in mind when creating cyber security strategies.


Indeed, any supplier claiming it can guarantee total safety from cyber threats needs to be regarded with suspicion because of the speed at which new cyber threats are emerging, the inevitability of human error and the complexity of corporate IT.


But it is possible to follow the steps outlined above to mitigate cyber threats and minimise any damage when under attack from hackers. It is always worth remembering however, that any good IT security policy needs to be supported by the board, otherwise it will not be worth the paper, or software, it is written on.