Cyber security: the solutions aren't working?
Despite the money being poured into keeping companies protected from cyber threats in the UK, data breaches only seem to be getting greater in frequency. Are the security solutions not working?
Short of time?
Security has emerged in recent years as the number one priority for IT leaders around the world.
What was traditionally seen as a simple component of an organisation’s infrastructure – throwing a firewall and antivirus solution down to ensure that compliance box is ticked – has evolved into something that keeps CSOs, CIOs and even CEOs awake at night.
It has also triggered the creation of a huge industry – cyber security – as hoards of vendors compete to be seen as possessing the most competent solutions in the fight against hackers and cybercriminals.
But no matter how much these companies profess to offer the latest ‘next-generation’ security products, the rate of cyber casualties shows no sign of slowing – if anything, the opposite is true.
There is a constant arms race where the attackers look to circumvent the security solutions that companies put in place, and the vendors of those solutions look to improve the security of their solutions.
The worrying reality is that the high-profile victims of cyber attacks are indeed adopting the very solutions the industry seems to scaremonger them into buying. So are the vendors losing this battle?
‘It’s becoming more apparent and widely accepted that point or stand-alone security solutions, next-generation or otherwise, simply aren’t enough to protect against the sophisticated multi-vector attacks faced,’ says Ross Brewer, VP and MD of international markets at LogRhythm
However, the problem in many cases is not the technology itself but how that technology is applied, installed and managed, according to Brian Honan, who is a member of the advisory group on internet security to the Europol Cybercrime Centre.
He believes that many of the breaches over recent years were in fact not that sophisticated.
‘In many cases, the breaches were due to poor management of the security technology, such as missing software and security patches, misconfigured security software, weak passwords, or security systems not being monitored to detect attacks,’ he says.
>See also: The 2014 cyber security roadmap
The wider strategy
It is important to recognise that technology is indeed just one part of an effective strategy for mitigating cyber attacks.
As much to blame as poor management of solutions is the lack of educating employees, whose ignorance is often exploited by hackers.
‘To put it bluntly, the days of economising on training cost are gone,’ says Rolf Van Roessing, past international VP at ISACA and executive advisor at KPMG Europe. ‘If you want smart users, you’ll have to pay for their education.
‘It is only through first-hand demonstration and experience that people acquire lasting security awareness. Compare the ‘investment’ that cybercriminals are making in terms of exploits, malware and education – why should the good guys be able to get away with less spending?’
David Emm, senior security researcher at Kaspersky Lab, advises companies to look at security like housework.
‘It's never 'done',’ he says. ‘An effective security strategy needs to be reviewed on a regular basis to check its effectiveness and to broaden it to take account of changing technologies and new tactics being employed by would-be attackers.’
But despite the frantic calls to adopt this ‘next-generation’ approach we hear of so much, many organisations still continue traditional security approaches.
Building a stronger defensive wall through deploying endpoint technologies can no longer provide adequate protection, as there is no more ‘perimeter’.
‘Data is everywhere and must be accessed and managed across multiple systems and devices, and therefore there isn't a perimeter anymore that can be adequately protected by any endpoint device,’ confirms Andy Heather, EMEA VP at Voltage Security.
A tricky investment
Indeed, many of the largest data breaches have occurred against companies that were in fact ‘compliant’, because these endpoint technologies were not able to protect the underlying data level.
However, information-security decision makers face the tough task of investing in expensive next-generation solutions when a chance of breach clearly still remains.
‘The problem is that most companies are buying the latest technologies because it is the latest thing and we are told it is important by the vendors,’ says Roger Thornton, CTO of AlienVault.
So they should be buying precisely what they need to combat the threats that are breaching them, rather than the whole package want to sell them.
But to do that, they need to know who is breaking in, how they are breaking in, and then find the suitable solution for that.
‘If nobody is breaking in, then keep your money and wait until you actually have a problem to solve,’ Thornton advises. ‘Sadly that is not how it’s done today.’
>See also: 8 cyber security predictions for 2014
The underlying problem is most companies cannot even tell if they and when they have been breached, much less what the specific solution is to avoid the specific problems they are facing.
As such, CIOs should first invest in understanding their requirements, and then issue the budget required to protect the infrastructure – rather than simply looking at what peers are investing.
‘We will often find ourselves quoting 8% to 10% of IT budget as our target figure,’ says Stephen Bonner, a partner in KPMG’s Information Protection & Business Resilience team.
‘Bringing cyber security to life for the board is key, and that means engaging in a debate about the risks the organisation is running, and the sorts of realistic cyber scenarios which the organisation may have to face.’
Focus over fear
Being realistic is the key takeaway. A recent survey showed UK companies are more fearful of trends like mobility and BYOD than any other country in the world.
Should CIOs really understand the threats they face, they would be more focused than fearful – and unwilling to let the prospect of cybercrime slow the adoption of the latest and greatest technologies.
However, Oliver Pinson-Roxburgh, systems engineering manager at Trustwave, believes despite the fears that many organisations are allowing BYOD with no process or procedure to support a mobile workforce.
‘The procedures need to support whatever mobile devices that company may have,’ he says, ‘which is often a huge challenge as every phone has different options for configurations or limitations.’
Not implementing BYOD policies can certainly restrict the amount of cost cutting a company is able to achieve, but this also reduces the number of weaknesses in an infrastructure, adds Tony Caine, VP and GM of enterprise security for EMEA and APJ at HP.
‘C-level executives in each organisation need to find the right balance for their own organisations.’
>See also: Cyber security: do you know where you stand?
A new chief
One thing companies definitely need is a properly qualified chief security officer (CSO).
Despite the huge attention around cyber threats, many UK organisations are still yet to introduce the now-vital position.
The job calls for a broad range of skills and experience; not only technical security expertise, but also sound project management, leadership abilities, and a wider appreciation of business strategy.
‘As an industry, we’ve failed to invest adequately in training for these skills and it will be many years before the supply of decent candidates comes close to meeting demand,’ says Alan Calder, founder and executive chairman of IT Governance.
In an ever-changing landscape, the only certainty is that UK organisations must change their tact this year to ensure they are not at the brunt of the highly publicised and damaging breach.
There have been so many stories relating to breaches that next-generation security is finally at the front-of-mind of C-suite across the country, but planning the right action requires much research, discussion and planning.
‘Start with effective analysis of risks, develop mitigation options, with costs and risk reduction clearly identified, get your executive team on board with making these investments, and then work fast to plug the gaps,’ suggests Jim Hietala, VP of security at The Open Group.
With the digital-by-default approach becoming standard organisations must be secure by default too. But increasing the services in a digital manner also increases the attack surface.
‘CIOs and CSOs must take the time to understand their business and its needs and then adopt a flexible risk-based approach,’ says David Robinson, CSO of Fujitsu UK & Ireland. ‘Having understood the business, application of appropriate people, process and technology must then be followed.’
What the experts say
How will the threat landscape shift this year, and what should organisations do to stay safe? The security guys predict and advise.
‘With attacks increasingly more personalised, it’s now important to have both timely and cost-effective methods of self-discovery in place. Response needs to be improved and businesses can no longer sweep incidents under the carpet. We need to understand the business impact of an attack which requires attribution as to who instigated the attack and the motivations behind the attack.’
Greg Day VP and CTO for EMEA, FireEye.
‘We will undoubtedly see new threat vectors – the threat landscape is continually evolving. Organisations should deploy solutions that protect their business-critical data and services, and most importantly should ensure that they have well-defined processes in place to deal with any incident.’
Darren Anstee, director of solutions architects, Arbor Networks.
‘The revelations from the US about the very broad surveillance activities of the NSA have heightened everyone's sensitivities to personal, and corporate, security and privacy. Governments in the EU will drive an investment in protecting privacy, a re-evaluation of existing encryption technologies, and a desire to more closely watch the 'privileged insider' who has access to the sensitive data. No one wants to be the employer of the next Edward Snowden.’
Geoff Webb, director of solution strategy, NetIQ.
‘To avoid this risk, critical infrastructure companies need to review their entire IT systems from top to bottom, ensuring there are no unprotected points of entry for potential attackers and that all points of access are secured. Organisations need to work on the assumption that they have already been compromised and work backwards on this basis.’
Chris McIntosh, CEO of ViaSat UK.
‘We need to continue developing the way we identify, and moreover analyse, malware. We need to look very closely at the coding in order to better understand how it works, and how future variants will behave. It’s about being able to predict malware’s behaviour rather than just responding to it.’
Grayson Milbourne, security intelligence director at Webroot.