The security challenge facing organisations is how best to ensure their enterprise security in an interconnected world where employees’ ability to communicate anywhere and at any time via multiple devices puts them at greater risk of cyber attack.
The concept of a defendable enterprise perimeter that can be shored up against the flood of attacks from both organised criminals and governments is dead, but the playing field is far from level, with the market for cyber crime estimated at $104bn – twice the amount spent worldwide on protecting information assets.
“The idea of a perimeter that will defend you like a brick wall has gone,” says James Nunn-Price, partner and cyber lead at Deloitte. “Most organisations have multiple perimeters of different strengths, and effort must move to managing the internal threat to detect what is happening within the organisation.”
Paul Vlissidis, technical director at the NCC Group, agrees that the perimeter has been stretched beyond recognition due to new technologies. “The world is now highly mobile, cloud is becoming mainstream and trends such as bring your own device (BYOD) are increasing. Corporate data is in the cloud so it renders the idea of the perimeter as useless; it is a 1990s security mindset. This doesn’t mean unplug the firewall, but organisations have to think about how information is structured and flows through not just their own networks, but the whole cyber world,” he says.
With criminals directing so much resource at attacks, Nunn-Price says it is no longer a case of if you are targeted, it is a case of when. “Noise at the perimeter is just noise. A hacker who has researched and targeted an organisation will almost certainly find their way in. Organisations need to put in place security controls, but best practice is also about monitoring threats and responding appropriately when attacks happen. The challenge for an IT leader is to have an appropriate response strategy,” he says.
Eric Ahlm, an analyst for Gartner, says security technologies are evolving to detect the unknown and overlooked. “One of the key goals of both government and private-sector buyers in augmenting their cyber security practice is to deal with very sophisticated attacks that target their users or organisations directly and can remain persistent in their networks for long periods of time until a deadly attack, such as massive data exfiltration, can be fully executed by the attacker,” he says.
Read more on cyber crime
Focusing only on the perimeter and spending up to 80% of the security budget on perimeter defences is no longer tenable, and activities should instead be directed at disrupting potential attackers.
Gartner confirms that recent sophisticated targeted attacks show preventative security systems alone, such as firewalls, intrusion prevention systems, antivirus software and other controls, although beneficial, can miss such attacks.
“What is missing in many of these preventative controls is the ability to detect unknown malware, find currently compromised systems and, in general, find the attacks that succeed or are missed by current security controls. The need to mix more detective controls has been a catalyst in evolving security technologies and services,” says Ahlm.
Vlissidis says the front line is now the desktop, as users deep within the organisation are being targeted: “Phishing emails are aimed at users who are in the soft centre of an organisation. There needs to be acceptance that the network is exposed and to protect it; different islands or zones of security are required, but the bigger the network, the harder it is to kick out the threat.”
Organisations must be absolutely clear about how they respond to an attack, and need to understand what has happened before they make announcements and claim a threat has been detained, only to find they are hit again a week later.
“Once the security basics are in place, organisations need to focus on reducing impact and understanding how to recover more quickly,” says Nunn-Price.
He believes that with the growth of trends such as BYOD, and the proliferation of powerful devices used in both work and home environments, coupled with the often international aspect of a breach, where different countries handle security breaches, it can take days to get to the bottom of what exactly has gone on and which assets have been hit. “Proactively monitoring what has happened on your network and how to respond is a major challenge for an IT director,” says Nunn-Price.
Proactively monitoring what has happened on your network and how to respond is a major challenge for an IT director
James Nunn-Price, Deloitte
In the face of a relentless and dynamic threat environment, with increasingly sophisticated attacks, many attackers go undetected by their victims once they are inside the organisation. Some estimates suggest response to an attack has increased from 10 to 30 days.
Organisations clearly want to be able to respond in as near as real time as possible to any attack, but the brutal fact is it can take weeks, and in some cases months, for an organisation to respond, by which time the damage mounts up, says security expert David Lacey.
“The dwell time for advanced persistent threats, which are very stealthy attacks, can be months. Organisations have been trying to get it down to weeks or days. Ideally, response should be in real time. Smart companies with good security will have targets. If you can close down an attack quickly, the damage is substantially less,” he says.
Just as it takes time for an organisation to work out the extent of an attack, it takes a cyber criminal time to milk the organisation of its information by discovering critical data, mapping it and getting it out of the organisation into the hands of the criminals who can effectively use it.
“An attacker may find a way in through social engineering, such as via an email to an employee who has attended an event with a request to look at a particular website where it has planted stealthy malware. Once this is installed, it acts as a beacon to a command and control centre, which directs it to penetrate the organisation further. There is a discovery process where it looks around an organisation and reports back – for example, collecting as much credit card data as possible,” says Lacey.
Interrupting the criminal’s discovery process as quickly as possible is the ideal response, but unfortunately, many organisations are just not equipped with the budget and resources or the necessary skills. Lacey points to the American retailer Target; despite having a malware detection tool installed, it ignored its alerts, resulting in 40 million stolen credit card numbers, and the CEO and CIO’s resignations.
Finding the right partners, therefore, to extend capability is paramount to having any success in tackling security threats. “I know so many organisations that buy security and don’t use it properly. You need understanding of technologies and what resources to put in place,” says Lacey.
There is no business case for security; it is perceived as costing money, closing access and taking time, which are negative things
David Lacey, security expert
Nunn-Price says that with so many security products, a new approach is required. “The concept of actionable intelligence is about distilling information and consolidating alerts, systems and feeds that an IT director can do something with, rather than just being hit by information,” he says.
Collaboration between organisations within and across sectors is getting better, says Nunn-Price, and is encouraged by the government security initiatives in many countries. “If there is no confidence in the digital economy, everyone loses out. The UK must be a lead in cyber security or jobs will go elsewhere. Cyber security is bigger than IT; it involves marketing, HR, sales, and research and development,” says Nunn-Price.
Compliance is often considered an aid to understanding security in an organisation, but Lacey says just ticking the boxes to meet regulation and compliance requirements is not enough.
“There is no business case for security; it is perceived as costing money, closing access and taking time, which are negative things. This means compliance kicks in, which forces people to answer 400 questions to just tick a box,” says Lacey. He says staff are bogged down with compliance regulations, including legislation such as Sarbanes-Oxley, PCI DSS and ISO 27000 certification.
“Compliance generates a half-hearted response and it has not evolved over the past 30 years. But let us recognise the difference between compliance and security. Separate security from compliance, and devote a percentage of resources to doing the right things based on common sense. Organisations should find out what is really important to them and spend IT budget on securing those assets,” says Lacey.
Every organisation’s risk profile varies according to their nature of business and which sector they work in – something that Ian Campbell, a professional interim CIO, is very aware of. He is currently CIO of Value Retail, but has worked for a variety of organisations in different sectors, and with varying risk profiles.
He says it is vital to understand your risk and which assets must be protected, but with the proliferation of devices and interconnectedness, he believes the idea of treating an organisation like a citadel that can be protected by a moat is nonsense in today’s digital world.
“Today, users want multiple access any time from anywhere, and security needs to move from perimeter protection to identity management and authenticating access. A bank, however, is very different from a retailer, and how you manage risk varies, but the move is generally towards the cloud and global access, so security needs to evolve to keep up with the new world,” says Campbell.
He points out that security breaches also come from inside the organisation. “Over 70% of all security problems are caused by internal staff, which doesn’t come to light so often,” he says.
Over 70% of all security problems are caused by internal staff, which doesn’t come to light so often
Ian Campbell, Value Retail
Campbell says security is changing so rapidly that new approaches are essential to keep ahead of the threat and he is an advocate of specialist help: “Most of us are still reacting and hoping not to get caught out, but there are specialist dedicated teams and partners who can constantly look out for threats ahead.”
He also believes it is the CIO’s duty to ensure that the board listens to security concerns. “The CIO must ensure security is never off the board’s agenda; you can turn it into a positive by focusing on how security looks after staff, ensures resilience and by highlighting how many months your organisation has gone without an incident,” he says.
Achieving a single view of risk across an organisation is a goal that just over half of organisations have achieved, but the view is clouded because every time a new technology is introduced, some new element of risk enters and often a patchwork response to security evolves.
“For every device, there is a simple fix that leads to patchwork growth, but having an enterprise-wide view can be perceived as slow, expensive and difficult to manage at a time when businesses want to be agile and have quick solutions,” says Lacey.
With the reality of increasingly sophisticated attacks, the expert advice is to extend capability, because organisations can’t stand alone against the tide of attacks. Sharing information with other organisations – even competitive rivals – is becoming more common, while selecting the right partners that have a global view of the real-time threat network is vital if an organisation is going to stand a chance against attacks, because the future for security is not going to get any easier, says Lacey.
“We are heading for a more open and complex world. People say ‘keep security simple’, but it is impossible. As more devices become more connected with more features and are more powerful, there are benefits to society and business, but a hyper-connected world is hard to protect and secure,” says Lacey.
However, this does not mean IT chiefs can bury their heads in the sand – they need to develop effective risk management, says Vlissidis.
“Understand what risk means to you as a business; information is a more valuable asset than a physical asset in the digital world. Do not do security just to meet compliance; make any strategy meaningful to the organisation. There is a global threat network and proper international crime rings, but organisations can focus on extending capability by asking experts for help. You can never outsource risk, but you can outsource some of the tasks,” he says.