Businesses will fail to protect their data assets unless they begin to understand how cybercriminals work, says Howard Schmidt, former US national cyber security advisor.
Studying the behaviour of hackers will enable businesses to identify the right defences, says Schmidt, president and chief executive of the UK-based Information Security Forum (ISF).
Success in preventing cyber attacks depends as much on knowing what to look for as it does on rolling out the right security technologies, he says.
Information sharing between business and law enforcement agencies has been used successfully in the US since the late 1990s to fight cybercrime, says Schmidt. "Collaboration between law enforcement and business is the only way to get ahead of cybercriminals to limit their impact."
Schmidt says much of the security technology used by organisations today was developed using feedback from criminal investigations in the US.
There is still a long way to go, according to the latest research. The 2009 eCrime Congress survey shows that businesses are underestimating the sophistication of cyber attacks.
A quarter of organisations polled said they either did not know or had no way of measuring increases in the technical sophistication of attacks.
This lack of knowledge and understanding is likely to put businesses at a disadvantage in trying to keep cybercriminals out.
Schmidt says information gathering and sharing is important to build defensive knowledge, so IT security professionals should:
- Attend conferences regularly to learn more about cyber threats
- Exchange information on cybercrime with law enforcement agencies
- Use crime investigation knowledge to formulate security strategies
- Learn how to identify the tell-tale characteristics of cybercrime
- Share security information with all users of IT in the organisation
- Teach all IT users how to identify cyber threats and how to respond
- Establish clear processes to enable end-users to report suspected e-crime
- Ensure all IT users know what is good security practice and what is not