Dave Jevans, chairman of IronKey and the Anti Phishing Working Group, looks at why locking down internal systems is not enough to combat sophisticated cyber criminals.
Although the threat from cyber criminals has existed for decades, the sheer volume of successful attacks on high profile brands during the last six months has highlighted an urgent need to protect against data breaches.
Having read a recent Gartner blog which stated that many of the of the IT security improvements they've seen over the past five years are fast becoming obsolete in the face of more sophisticated cyber attacks, turning the tables on the bad guys won't be easy.
As I write this, I know that millions of businesses and IT departments are frantically trying to ensure they don't become the next victim of cyber crime, while regulators are attempting to bring some order to the situation.
Unfortunately, however well intentioned the efforts of businesses, IT departments and bodies like the Information Commissioner's Office (ICO) and the European Commission, the idea of focusing attention on protecting internal systems is outdated and ineffective.
We are living in an era where cyber criminals are becoming ever more sophisticated and if they can't get into a company's systems, they'll simply target their customers instead. Furthermore, cyber criminals are making use of social media channels to collaborate and drive new threats; with the aim of beating every IT security solution that a business can deploy.
While businesses and IT departments deploy ever increasing amounts of time and money trying to fight the threat, the ICO and the EU have simply added to the pressure.
The ICO recently announced that it felt that private and public sector businesses should be externally audited to improve data security and reduce the rising number of breaches which have exposed customer data. Following that, the European Commission raised questions on whether the EU's existing Privacy and Electronic Communications Directive needed additional rules in relation to personal data breach notification.
There is no doubt that many businesses have been lax when it comes to protecting their IT systems and sensitive customer data from cyber attack. However many companies who have spent big on new IT security solutions are now facing the prospect that virtually every authentication technique can be compromised by a sophisticated cyber attack.
With that in mind, threatening businesses with increased regulation and legislation with the threat of fines along with a public naming and shaming is missing the point.
It's no longer sufficient to protect a business internal IT infrastructure. The bad guys can now get into companies and their systems in many different ways. For instance, they might simply target the IT manager via Facebook, or send them a link in an email from a hacked account, purporting to be from a friend. Using this way in, cyber criminals could have access to a goldmine of data and IT systems within a short period of time.
Now some of you may think this is unlikely, but sadly this type of attack was recently carried out on one the largest IT security firms and there are thousands of similar types of attack currently being launched against much more vulnerable organisations.
So, how can the ICO and the EU truly believe that increasing audits or fines for data breaches will actually help businesses to overcome the problem? After all, it's not likely that the breached IT security company in question hadn't taken all possible measures to protect their internal systems and sensitive data. They simply hadn't looked beyond the obvious.
I believe that the whole ecosystem, ranging from government to businesses, needs to begin to think and work a bit more like the criminals themselves. The IT security community, businesses and bodies like the ICO and the EU need to work together, just as the cyber criminals are doing, to properly understand and address the threat.
An example of cross industry collaboration is the recent initiative by United States Federal Financial Institutions Examination Council (FFIEC) to protect the online banking system from a continued onslaught from cyber attacks. The FFIEC recognised the immense threat currently being posed to the American banking sector from cyber criminal attacks and have issued internet banking guidance which calls for multiple layers of security controls to prevent fraud.
One of the recommended security controls is the use of secure browser sessions. This safe browsing environment increases session security because it enables a secure link between the customer's PC and the financial institution independent of the PC's operating system and application software.
While this guidance is targeted directly at the internet banking environment and is by no means a silver bullet to rid the US of cyber attacks on the online banking system, collaborating in this way demonstrates a positive approach to tackling the threat.
However the strongest message businesses, IT departments and the ICO and the EU should take from the FFIEC guidance is the issue of how to provide a secure computing environment when linking directly to their customers over the internet.
No matter what internal steps organisations take to protect their IT infrastructure, there is no benefit for businesses and IT departments if all communications are compromised whenever an organisation communicates with its customers over the internet.
I have no illusions that the battle between businesses, IT teams and the cyber criminals is one that could be won overnight. But I believe that if all the good guys work closely together and begin to approach the issue of IT and data security more holistically, where businesses layer IT security solutions to fit the internal and externals requirements, then we may see less data breach horror stories across the front pages of the press.