Over the past couple of years, organisations have responded to the rising number of cyber-attacks by massively increasing their cyber-security budget, yet throwing money at the problem is not working.
This was illustrated in the recent case of a large financial institution, who announced it was spending £158 million on cyber-security by the end of 2014, only to be breached in a cyber-attack in September.
Throwing money at the problem is not the answer
In many situations the issue is that organisations are directing their budget in the wrong place, spending significant sums on technical tools and accrediting against standards, with limited understanding about the cyber-threat or what they need to protect. The perceived complexity around cyber-security has led organisations to put their trust in compliance or technology. But this is not enough – instead, a more strategic approach is needed.
Organisations are making five major mistakes that are causing them to continue to suffer from cyber-attacks. Yet there are practical steps that organisations can take to address these failings:
1. Too much focus on prevention, neglecting detection and response. Organisations need to accept that they will be attacked and should live by the mantra that there are two kinds of organisations – those that know they've been breached and those that don't know they've been breached. It is vital to put in place systems that can detect attacks as they are taking place and develop breach response processes that will differentiate between different types of attacks and highlight the potentially important ones. Test crisis management plans, then, when an attack takes place, you will be ready to respond and mitigate the impact on your business.
2. Not protecting the ‘crown jewels'. Many organisations fail to recognise that their most critical assets face the greatest threat. Organisations need to avoid spending huge budgets on generic security assessments, penetration testing and process improvements without also dedicating time and effort into identifying and then protecting their most critical assets. Protecting the crown jewels might well mean increasing investment in securing these assets and accepting the need for restrictions around accessibility of these systems or data.
3. Not designing defences around the threat. Many organisations build defences but forget that as the threats evolve the defences need to evolve too. There is a need for relevant and timely cyber-threat intelligence so that organisations understand the threats specific to them and how they are changing. Monitoring the threat landscape to provide this information could be the role of a dedicated in-house team or sourced from third parties.
4. Treating cyber security as an IT issue rather than as a business risk. Increasingly organisations say that they treat cyber as a business risk, but few are acting on this. Organisationally, a cross-functional approach is required, with the IT function working closely with stakeholders from the business as well as functions such as risk, security and legal. Given the delivery mechanism for a large proportion of cyber-attacks is not very technical (clicking links on emails, opening attachments, inadvertently downloading programmes, or having weak passwords are typical culprits), controls needs to combine the social with the technical.
5. Lacking the technical understanding to deal with advanced persistent threats (APTs). The level of cyber-threat faced by most organisations has advanced rapidly in recent years and continues to do so. However, for many organisations, their level of technical defence has not. Advanced persistent threat actors target corporate systems in sophisticated ways over a period of time. To address this threat, organisations need to design defences with suitably qualified suppliers that have the capability to defend against APTs and operate with an attacker mind set.
Over-reliance on compliance
An assessment of how well an organisation fares against each of these five areas is a good first step in limiting the damage from the cyber-attacks that will inevitably occur. However it is important that this does not simply become an audit exercise. Although compliance has a value, organisations do not face attacks from auditors – they face attacks from nation-states, criminals and hacktivists who will not be interested in their collection of accreditations. It is only by following up with these practical steps organisations can start to truly reduce their level of suffering from cyber-attacks.