The cyber-threat landscape is becoming increasingly complex; with a greater diversity, frequency and sophistication of attack being deployed to breach organisational defences. Unfortunately, as the forces besieging them mount-up, there are also more severe consequences for organisations if their attackers are successful.
Cyber-threats are no longer just an IT problem; they are a business-level issue that can adversely affect critical functions and systems. As a consequence, organisations stand to lose business, reputation, customer and user confidence, as well as the valuable information that their assailants are after. However, despite their best efforts to defend their perimeters, businesses continue to fall victim to their attackers' latest tactics on a regular basis. The recent string of major, high-profile breaches at US retailers and others serve as an all too pertinent reminder that those who don't do enough to keep the bandits at bay face severe penalties. So where are organisations going wrong, and what can they do to put themselves in a better defensive position?
Medieval warfare in the modern age
Things may have changed significantly over the years, but the tactics deployed by medieval kings to defend their castles are just as pertinent today as they were 800 years ago. Whether you're trying to hold off an onslaught of attackers wielding DDoS attacks and advanced malware or battering rams and catapults; investing in the latest defensive tools and measures will not ensure security by itself. Although it can help mitigate some information security challenges, even the best technology cannot work successfully unless the people within the organisation do the right thing. Having established processes and educated users who follow them are equally important to the prevention and detection of cyber-attacks.
Traditionally, large organisations have tackled these demands with reactive processes to address known security threats. However, as threats continue to evolve on an almost daily basis, they often don't generate detectible and recognisable patterns, making it easier for them to evade the legacy defensive measures taken by most organisations. This means that a more proactive approach to information security is now essential; with processes linked to the actions that employees perform to complete routine business functions. Organisations need to move away from focusing simply on creating awareness of the problems to look at how they can create solutions and embed processes and behaviours that address the risks directly.
Awareness is the best line of defence
Of course, that's not to say that awareness isn't important. Indeed, users are the biggest firewall an organisation can have and so need to be made aware of the security risks of their actions. Security eaders need to educate and train their users to have a better insight of what is happening in and around their environment. To be effective against today's threats, awareness programmes can't be defined around assumptions about what employees know and how they think and feel. They must be based on the understanding that people are unique, with different learning styles; so they absorb information in many different ways.
This means a variety of educational techniques are needed for an effective awareness programme. One of the more effective methods is to run campaigns that expose employees to simulations of recent attacks in the industry. Regular webcasts, celebrating information security weeks, displaying posters and running quizzes are some of the other more cost-efficient ways to educate employees on the latest threats facing their organisations. However, to be truly effective, organisations must help their employees to really understand the value of IT security and ensure they aren't just participating in awareness programmes as a box-ticking exercise. The programme must embed positive behaviour and encourage employees to form habits that contribute towards IT security. This will help to reduce the risk of hackers succeeding with some of the most popular social engineering tactics such as phishing scams.
Leading from the frontlines
All this can best be delivered by a Chief Information Security Officer (CISO) or Chief Security Officer (CSO), who is responsible for understanding the organisation's business drivers and creating a security policy that supports them. The CISO/CSO is also tasked with maintaining compliance with the growing list of regulations and legislation, customer expectations and contractual obligations that dictate how their organisation operates. Their role is central to a business' operations and so the CISO/CSO should be involved in board-level decisions and discussions.
To be most effective, the CISO/CSO also needs the support of an equally smart and specialised security team. Some of the newer technologies are so advanced that organisations need people who have the skills to understand them and then implement them to drive out the best possible defence. For example, traditional firewall operators need to be trained to understand malware symptoms, phishing attacks and NetFlow analysis to enable them to identify malicious activity and react in time.
Of course, there is a long journey ahead with many bumps in the road for those tasked with keeping the cyber-criminals out of their organisation's inner keep. Those that are able to align their people, processes and technology in these ways will have a much stronger footing from which to fight back.
Contributed by Kalyan Kumar, SVP and chief technologist, HCL Technologies