Cyber attacks dominated the 2015 news agenda like never before, but no amount of profile seems to be making organisations more secure.
One of the biggest lessons learned in cyber security in 2015 was just how critical it is for businesses to remain proactive and on the front foot when it comes to combatting cybercrime.
The frequency and severity of high-profile hacks throughout the year demonstrates the pace at which cybercriminals are innovating and the need for a proactive industry response.
Backed by a $19 trillion industry, cybercriminals are finding new and complex ways of compromising and breaching systems and evading detection like never before, with half of attacks persisting on systems for months, if not years.
What is most troubling, however, is that 60% of data is stolen within the first few hours of an attack, which suggests by the time a breach has been detected, the damage has most likely already been done.
‘As such, a holistic, integrated security policy that addresses the entire threat continuum – before, during and after an attack – is the most effective way of mitigating all sources of risk, and 2015 demonstrated how much so,’ says Terry Greer-King, director of cyber security at Cisco UKI.
>See also: The 2016 cyber security roadmap
Regardless of the strength of their technology defences, businesses must assume they will still be attacked.
So rather than trusting security tools to prevent them in the first place, organisations should have a plan in place for when an attack occurs – including an infrastructure inventory, a full response plan, and an external communications strategy.
Investing in security is still paramount to reduce the chances of attacks being successful, but dealing with data breaches in a mature way is now critical to any IT security plan.
And when it does come to preventing attacks, getting the basics right is still one of the most effective approaches.
‘National businesses should not get hit by SQL injection attacks,’ says Wolfgang Kandek, CTO at Qualys, ‘or leave critical information available for third parties to get their hands on without permission.
‘These problems aren’t technical or driven by lack of budget; they are issues caused by lack of focus and attention.’
Cybercriminals have been developing malware that evades detection by conventional security solutions and infect networks for a number of years now.
This arms race started with the introduction of increasingly sophisticated off-the-shelf malware toolkits, which enabled criminals to easily tweak and disguise existing malware code to make a ‘new’ infection that could pass undetected through traditional antivirus defences.
But hackers are now creating malware with real ‘defeat devices’ that can identify when they are being investigated by security solutions, and actively evade detection.
‘Organisations have to find new ways of examining malware that enters the network without triggering its ability to detect that it is being tested,’ says Simon Moor, UK country manager at Check Point. ‘So companies not only have to remain vigilant against established malware families, they also face the challenge of protecting their networks against new, rapidly-emerging attack types.’
For consumers, some of the the highest profile breaches in the last year came when zero-day issues within Adobe Flash led to a rash of malware attacks hidden within advertising networks, which compromised endpoints.
The biggest problem for enterprises was a lack of knowledge of their infrastructure: what do they have, how is it configured and who has access to it?
‘Related to this is the extension of the enterprise infrastructure into suppliers’ networks and the assurance of their security,’ says Kandek. ‘When a supplier gets attacked and their data breached, their credentials are still valid – an attacker can use then valid passwords to gain access to the enterprise network.’
A relentless flow of cyber attacks has shown that hackers are still a step ahead of security vendors and their solutions when it comes to the threat landscape.
One of the key reasons is that organisations are constantly trying to predict what cybercriminals will do next and how they will do it. Until a zero-day attack has occurred, it is very difficult for them to know how their security strategy needs to develop.
However, once a new, unknown threat has been caught, it becomes a known and documented malware variant, with a fingerprint and signature that can be detected in the event of future attacks.
‘If organisations share this information,’ says Moor, ‘other organizations can use it to update their own defences, vaccinating their networks against the malware to prevent an infection becoming an epidemic. This helps network defences stay hot on the tail of the latest methods and tactics that cybercriminals are deploying.’
CISOs and their vendor partners have to be right all the time in a rapidly opening and increasingly globalised environment, where as hackers only have to be right once.
The challenge for vendors is to make their tools function in the new reality: independent users working across a non-trusted network (the internet).
Closed network tools are losing their importance – everything has to work, in spite of the internet’s reach and scale.
But the internet can also help – as more systems get moved to the cloud, some of the complexity will be removed from the business IT infrastructure.
‘Keeping an eye on these assets through continuous management is fundamental,’ says Kandek, ‘and that is where asset and vulnerability information comes in. Making smarter use of cloud and search technology enables CIOs to keep their internal and external IT assets up to date and secure.’
So despite investments in cyber security being higher than ever, why are big cyber attacks proving more successful than ever?
For every extra penny that organisations invest in cyber security, hackers redouble their efforts to breach defences.
In November 2015 alone, Check Point detected 1,200 active malware families targeting business networks – that’s a huge amount of potential ways to be breached, and doesn’t take into account other hacking techniques.
As cybercrime becomes more high profile, and increasingly lucrative for criminals, the law of averages says that an increasing number of people will be tempted to dabble in cybercrime.
‘By using advanced security solutions such as threat emulation or “sandboxing”, that uses a virtualised, quarantined area running on a network security gateway, or in the cloud, and replicates the running of the malware in various conventional PC operating systems, organisations can ensure that they are delivering robust protection to their networks,’ says Moor.
The estimated annual cost of cybercrime to the global economy is anywhere between $375 billion to as much as $575 billion. And with the persistence of cybercriminal activity, there are essentially two types of companies: those that have been hacked, and those that don’t know they have been hacked.
Understanding cybercrime as a real and serious business risk – bringing lost intellectual property, compromised customer information and confidence and valuation impact – is the only way to ensure IT security maintains its rightful place in boardroom discussion and receives adequate investment.
As organisations seek to innovate, become agile and grow their business models in the face of digital transformation, an organisation’s ability to remain secure becomes critical.
‘The most effective security investment should be in an integrated, holistic security policy that evolves with the changing threat landscape and one that is a key driver of business growth,’ says Greer-King.
‘A fragmented, multi-vendor approach that has multiple procurement cycles coupled with a shortage of in-house skills, not only impedes an organisation’s ability to effectively protect the business, but proves far more costly in the long run.’
But technology is not the only answer, and any company that takes such an approach will soon run into trouble.
Organisations need to ensure that all employees, not just those in the IT department, receive training on the threat landscape and the processes that are in place to deal with them.
This training must be regular, so that it stays top-of-mind, and should demonstrate the impact a breach could have on the organisation as a whole.
>See also: Top 6 cyber security predictions for 2016
‘In today’s threat landscape, organisations can no longer afford to be complacent when it comes to training,’ says Darren Anstee, chief security technologist at Arbor Networks. ‘They should implement a comprehensive security education programme that reaches everyone.’
There has been a common understanding for some time that the security challenge must be owned by the business at large, rather than being seen as an IT Issue.
‘We are now seeing evidence that enterprises are making this shift and I would encourage them to continue doing so in 2016 and beyond,’ says Rob Norris, director of enterprise and cyber security at Fujitsu UK & Ireland.
Those organisations that make this shift will be better prepared and able to avoid mistakes and respond to attacks.
The New Year represents a point at which businesses can reflect on the way in which security budgets are allocated.
In 2016, organisations need to invest wisely not just in technologies, but people and training that can more effectively reduce business risk.
The latest preventative controls are effective at stopping some threats, but persistent attackers will find a way through.
‘We need to invest in solutions that allow our security operations teams to focus their time and energy on the threats that represent “real” business risk,’ says Anstee.