Businesses will fail to protect their data assets unless
they begin to understand how cybercriminals work, says Howard
Schmidt, former US national cyber security advisor.
Studying the behaviour of hackers will enable businesses to
identify the right defences, says Schmidt, president and chief
executive of the UK-based
Information Security
Forum (ISF).
Success in
preventing cyber attacks depends as much on knowing what to
look for as it does on rolling out the right security technologies,
he says.
Information sharing between business and law enforcement
agencies has been used successfully in the US since the late 1990s
to
fight cybercrime, says Schmidt. "Collaboration between law
enforcement and business is the only way to get ahead of
cybercriminals to limit their impact."
Schmidt says much of the security technology used by
organisations today was developed using feedback from criminal
investigations in the US.
There is still a long way to go, according to the latest
research. The
2009 eCrime Congress survey shows that businesses are
underestimating the sophistication of cyber attacks.
A quarter of organisations polled said they either did not know
or had no way of measuring increases in the technical
sophistication of attacks.
This lack of knowledge and understanding is likely to put
businesses at a disadvantage in trying to keep cybercriminals
out.
Schmidt says information gathering and sharing is important to
build defensive knowledge, so IT security professionals
should:
- Attend conferences regularly to learn more about cyber
threats
- Exchange information on cybercrime with law enforcement
agencies
- Use crime investigation knowledge to formulate security
strategies
- Learn how to identify the tell-tale characteristics of
cybercrime
- Share security information with all users of IT in the
organisation
- Teach all IT users how to identify cyber threats and how to
respond
- Establish clear processes to enable end-users to report
suspected e-crime
- Ensure all IT users know what is good security practice and
what is not