We're losing the battle against cyber-attacks, despite the best efforts of enterprise. The recent ‘IT Threat Evolution Report' from Kapersky Lab claims the first quarter of this year was one of the highest in cyber-history, with 2.2 billion attacks, double that of the previous year. And yet security spend has never been higher, with Gartner reporting an increase of eight percent per annum.
Upping spend is often the first reaction to a breach. JP Morgan doubled its cyber-security budget following an attack that affected 84 million customers and it's not alone. High profile breaches have seen budgets increased, with a recent study by the Ponemon Institute claiming 61 percent of organisations boosted security spend last year, with the majority going on detection solutions such as endpoint security, IDS/IPS, and SIEM.
Yet there is a clear disparity between spend and the Kapersky report: throwing more money at the problem isn't working. A preference for technical solutions, which are far easier to allocate spend for than the slow burn of organisational change, is partly to blame, as is the board, which has allowed itself to be swayed by the IT department and a desire to appease shareholders. The result? An over investment in solutions geared at stopping cyber-attacks rather than detecting attacks and defending data.
While cyber-security may now be firmly on the agenda at board level, how best to tackle it isn't necessarily understood. BYOD is now rapidly extending the enterprise beyond the point where it can effectively police itself, increasing the attack surface. Attacks are also multi-faceted, leapfrogging from the point of entry into other systems, in a bid to find sensitive data. And they may involve more than one player. With cyber-crime now an international black market, the likelihood is that information on corporate compromises could be bought and sold, with specialist hackers increasing the risk of a successful strike.
Estimates suggest most organisations spend over three quarters of their budget on defensive security measures aimed at keeping attackers out. That leaves just a quarter of the budget to deal with those attacks that are successful. Small wonder, then, that many are now agreeing with the sentiments of James Comey, director of the FBI who said there are two kinds of big companies: those who've been hacked and those who don't know they've been hacked.
Spend can never keep pace with the cyber-threat, therefore it needs to become more focused, more strategic, and seek to protect the most vital asset: data. Rather than trying to fend off what is fast becoming a tidal assault, the board should assume a position of compromise and use risk assessment to focus resource. Strategy needs to look at how to maintain business as usual in the event of a breach through Incident Response but changes must also be made throughout the enterprise to make it harder to find and extract valuable data.
The average time taken to detect a breach is reported to be 229 days during which the attacker has free reign over an enterprise focused on intrusion prevention. Minimising that detection time and whittling it back into single digits has to be the priority but to do so the enterprise needs to think tactically and adopt measures aimed at deflecting, confusing and frustrating the attacker once they're inside. Consider why the business would be attacked, what the attacker would seek to access, and how. Grade data according to its sensitivity and carve-up the network to make it harder to access that data.
The board does have an important role in this, determining and allocating responsibility, overseeing cyber-security strategy and risk management. Evaluation is also key, to determine changes in the threat profile, and the ability of the organisation to continue to respond to actionable intelligence.
By adopting a position of compromise, the enterprise can then begin to focus it's spend and resource far more strategically. Rather than stretching itself to the limits to police an ever-expanding attack surface, the emphasis becomes one of adaptive risk management which aims to reduce exposure. We may have to get used to living with the enemy, but that doesn't mean we can't limit their stay.
Contriubted by James Henry, Consulting Practice Manager, Auriga