Criminal and state sponsored hacking groups are posing an existential threat to businesses, senior security leaders claim.
Hacking groups now rank as the greatest security threat to business, a poll of chief information security officers in leading UK firms reveals.
Security, and defence companies have lost some of their most important intellectual property to state sponsored attackers while financial firms have lost bank and credit card details, according to research by the Corporate Executive Board (CEB).
"This is the first time in history that of the security organisation that risks pose an existential threat,"said Jeremy Bergsman CEB practice manager.
"In the past hackers might have brought down a network or defaced a web site, and there is a reputational risk. But state sponsored attackers and organised crime are stealing the crown jewels," he said.
Download IT reports and guides from the CEB
Hacking groups such as Anonymous are using a combination of social engineering techniques to trick their way inside corporate IT systems and sophisticated zero-day malware which cannot be detected with traditional anti-virus software.
"In the past most attackers went after weaknesses in the target. As long as you were stronger than the next guy you were okay. Now the attackers are persistent. They know what they want and they don’t give up," said Bergsman.
Businesses need new strategies to guard against this new wave of attacks, dubbed Advanced Persistent Threats (APTs) the CEB suggests.
But it warns security professionals not to fall into the trap of using fear tactics to justify better security – a tactic that is likely to lose them credibility with the business.
“The risk is real, but when security professionals talk about it, they need to be very careful not to exaggerate. Not just use fear, uncertainty and doubt to sell projects,” he said.
How to protect your business against organised hacking groups.
Revisit the malicious insider threat
Security professionals no longer view rogue employees as the most significant threat to company information.
But technology developed to monitor malicious activity by employees can also protect companies from sophisticated attacks, according to the CEB.
Hacking groups use sophisticated ‘social engineering’ techniques to persuade unsuspecting employees to download malicious software.
Monitoring employees activities online can help to identify these threats, which are otherwise undetectable by anti-virus software.
“We think that businesses are not thinking about that enough. They have paid for the tools already, and they need to revisit the malicious insider threat of the past," said Bergsman.
Use physical security tools to enhance information security
There is a lot more that businesses can do to improve security by integrating physical and IT security, the CEB argues.
“We are not trying to revive the buzz of three years ago, where people argued that IT and physical security should be merged under a single leader,” said Bergsman.
But, he says, smart companies are linking information protection tools with physical protection to gain an edge over criminal hackers.
For example, companies can link physical access controls to computer login records. If an employee walks into a building in London and then starts accessing the company’s network in Chicago, something is wrong.
Actively avoid being a target for hactivism
Security professionals can use their influence to help companies avoid decisions that could turn them into unwitting targets for hacking groups.
For example, financial firms faced retribution from hacking groups, when they complied with US government requests to close down the bank accounts of Wikileaks.
“If they had asked their Chief Information Security Officers (CISOs) they would have warned, if you do this, you will be attacked within a week,” said Bergsman.
Click here to download more security tips from the CEB