Why global cyber-attacks just might be the wakeup call we all needed
Why global cyber-attacks just might be the wakeup call we all needed

By now, it should be clear to business leaders that cyber-security is a business problem, not solely an IT problem. UK businesses reported losses of nearly £11 billion in 2016, according to figures released by Get Safe Online and the UK's national fraud and cyber-crime reporting centre Action Fraud. Cyber-crime is projected by Cybersecurity Ventures to cost the world in excess of US$ 6 trillion (£4.31 trillion) annually by 2021. Despite a series of high profile cyber-attacks, from the Yahoo hack to the WannaCry breach, IT professionals believe that organisation focus is far away from cyber-security until a breach happens. They allege that the strategy is frequently too focused on post-breach containment, rather than proactive prevention. 

Many leaders continue to be complacent about cyber-security, even though they are aware of their weaknesses in various areas. According to research from the Fortinet Global Enterprise Security Survey 2017 despite 85 percent of surveyed businesses having experienced a security breach in the last two years, only 50 percent viewed cyber-attacks as one of their top three risks. This disparity is a surprise. With management, not just the IT department, increasingly held accountable for breaches it would appear that many leaders are taking calculated risks surrounding the security of their data.

In a more positive light however, there is hope that recent high-profile hacks and breaches can serve as a wakeup call to businesses currently avoiding making committed security investments. The research noted that most cyber-security investment is driven by highly-publicised attacks – at present 93 percent of boards only take action when things go wrong, but high-profile cyber-attacks like Wannacry and NotPetya ensure that the problem cannot be ignored. 

In the last year, two-thirds of businesses have stated a desire to review or increase their security budget. To underline this, 71 percent of IT departments say they have increased their cyber-security budget from the previous year. Publicised breaches offer case studies in failed security protocols. A lack of planning, or employee education, gives businesses insight into what they should be doing to avoid a similar fate and ensures that the issue remains in the front of decision makers' minds.

72 percent believe they are doing better than their peers, while only six percent believe they are lagging – indicating that most laggards are living in denial – for now. What repeated cyber-attacks on well-known business could do is erode the notion that anyone is truly safe. It is not enough to be slightly better than your peers, or be doing just enough.

Being proactive about strengthening security protocols is a long-term project, which requires consistent engagement with the issue, not just a reaction to a crisis that has already occurred. Prevention is preferable to containment. This requires employee education, total visibility of a business's network, and looking to technology to automate, predict, and adapt to threats.

Prevention is easier when all employees in the business, not just the IT department, take responsibility for the security of the business. For example, breaches like the Bupa or Waymo hacks have raised the appreciation of the number of breaches that occur because employees are targeted. In response, 67 percent of businesses say they are planning IT security and awareness training for employees in 2018.

More data and hack case studies should allow professionals to take a step back and place attacks into a broader context. Harnessing the power of AI to learn from these breaches, analyse data and automate reactions to shut down breaches when they occur are vital actions that require planning. Threats evolve and adapt over time as applications, technologies, configurations, controls, and behaviours change, making security an arms race where a static solution will not do. A vital tool in this struggle is visibility. Because businesses are now likely to be spread over multiple platforms and set ups, network oversight is essential. After all, you cannot secure what you cannot see. This means control across the distributed network, including endpoints, IoT, and the cloud. For example, only 54 percent of businesses feel confident that they have full visibility and control of employee access. This raises the prospect of insider breaches similar to Bupa or Waymo occurring.

Clearly, we have a long way to go before strategies towards cyber-security becomes more proactive instead of their present reactionary form. But, with the sheer volume and frequency of highly-publicised attacks, there is already data to show that these examples are shifting attitudes. It might be just the push we need.

Contributed by Shane Grennan, regional director UK&I, Fortinet

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.