The experts’ view: How to tackle cyber threats faster with fewer resources -TEISS® : Cracking Cyber Security
IoT / The experts’ view: How to tackle cyber threats faster with fewer resources
22 December 2016
The threat landscape is broadening, with risks from nation states, hacktivists and cyber criminals, as well as employee mistakes, combining to make information security harder to maintain than ever before. That was the message from Graham Francis of Hewlett Packard Enterprise, introducing a Security Hub breakfast briefing at the Savoy hotel in London.
His words were echoed by John Bloodworth of Intel, who added that simply hiring more people would not solve this problem because there are not enough qualified people available. Instead, we have to turn to technology. However, many people are struggling with the plethora of technology tools they have adopted.
There are too many tools and they don’t talk to each other, attendees agreed. Then, as threats change, there is every likelihood that new tools will be needed to fill gaps. Alan Downey of HCA added that different elements of the same tool are sometimes updated at different times. Your business might buy a ‘comprehensive’ tool but if one component doesn’t work well against a specific threat then you will need something else.
One growing threat is ransomware, which has cost £60 million in ransom payments alone so far this year, said Bloodworth. That does not include the cost of lost data, time spent and any costs incurred dealing with the problem. Businesses need to stay on top of threats like this one, which consume time, money and resources.
One simple way to reduce the risk would be to minimise or eliminate employee mistakes, such as clicking on rogue links in emails. These phishing attacks are one of the key routes into the network for ransomware and other attacks but shutting them down is almost impossible. Whether it’s because of an especially convincing email or a lapse in judgement, some links will always be opened.
Another problem attendees identified is the growing pressure from regulation. The arrival of the General Data Protection Regulation (GDPR) in 2018, for example, was seen as an inhibiting force by some attendees.
Downey said that fines for a breach under GDPR would cost his firm more than $1 billion and that was making the company very cautious. Moving to the cloud, for example, where the business cannot fully control the security of its own data, was one area where attendees felt regulation could hold them back.
There were, however, some positive messages from the briefing. Chris Gibson of Close Brothers said that getting the security basics right would mitigate between 80 and 90 per cent of the risk and is not costly. Companies that put the time into doing that can then focus their efforts on the remaining 10 per cent of threats.
Stephen Hall of Freshfields Bruckhaus recommended moving the security function out of the IT department, which would allow it to take a more strategic view and avoid being caught up in dealing with the implementation of security tools. Giles Baxter from Arthur J Gallagher agreed, saying that he was increasingly seeing a separation between IT and security, with the latter reporting directly to the board.
Another recommended strategy is to focus on data, rather than attempting to secure every part of the IT estate. Assuming that the network will be breached in some way means you can focus on very tight protection around the most important data – the ‘crown jewels’ – and use lighter measures in areas that attract less risk.
Finally, Hall said that his company was tackling the risk of an internal breach by investing more in behavioural monitoring.
The key question every board will ask the CISO, or whoever holds the relevant role, is how they know they are spending money in the right area and on the right things. This is the challenge faced by most attendees and there was general agreement that the board will be happy so long as you can show good reasons for your choices.
To that end, those present said they would like to have more information. The UK government has attempted to collate a list of security tools online but those at the briefing said they would be unlikely to use them because the rankings from an organisation like Gartner carry so much more weight within the industry.
It would also help everyone if vendors published more thought-leading material, attendees agreed. Firstly, more information would help information security professionals to stay on top of emerging threats and the appropriate tools to deal with them. Secondly, such thought leadership helps to establish the vendor’s credentials and makes it more likely that they will make the shortlist of possible suppliers when the company looks to add tools.
Ultimately, attendees at the briefing felt that there is a lot of work to be done in the information security space but that progress was being made. The challenge remains how to make progress more quickly than your adversaries.