Businesses investing blindly in cyber security

Many businesses are still investing blindly in cyber security products without knowing what their real weaknesses are or how effective their current defences are, says Tom Van de Wiele, principle security consultant, F-Secure. 

“Around 50% of cyber security investments are ineffective or inappropriate, but most organisations have no idea which 50% that is, which is the result of a compliance-driven tickbox approach to security, and that just does not work,” he told attendees of InfoSecurity Europe 2019 in London.

According to Van de Wiele, organisations should first establish where their critical and sensitive data is located, who owns and manages it, who is allowed to have access to it and from where, because many organisations still “have no idea”.

The next step, he said, is to look to red teaming exercises to help them understand where their cyber defence strengths and weaknesses are, because this is “crucial” when it comes to responding to attacks.

“Using an offensive or red teaming approach by internal or external teams of ethical hackers helps organisations to approach security with the assumption that they will be breached, and then understanding the various ways in which their most valuable data is likely to be targeted,” said Van de Wiele. 

This in turn enables organisations to predict what attackers will do and the paths they will take so they can identify where they need to invest in new or additional security controls. It also highlights any areas that they may be overlooking, he said, which often includes physical security.

“Many organisations – particularly in the UK – do not look at physical security as part of their cyber security strategy, but this is a mistake, because having physical access to IT systems can be invaluable to attackers and make their jobs much easier,” said Van de Wiele.

Another valuable aspect of red teaming, he added, is that it enables organisations to ascertain if they are able to see red team activities, how long it takes to detect them, and to what extent existing security controls are effective in making it difficult for attackers to achieve their objectives.

“It also helps organisations understand that the attackers can exploit just about every interaction with the outside world,” he said, noting that the attack surface is typically far larger than many organisations realise.

“Once this is understood, organisations can look at ways of reducing that attack surface, which can include reducing the amount of information that employees make available on social media like LinkedIn, which can give attacker clues as to what security technologies companies are using.

“By helping employees to understand that they are part of the security process and just how useful the information they are posting online can be to attackers, it can help to encourage employees to change their behaviour,” he said.

The overall aim, said Van de Wiele, is risk management and cyber resilience. “This is not about keeping the bad guys out – because they will get in – but about being able to detect them quickly and respond effectively,” he said.

With each adjustment organisations make to their cyber security defences, red teaming exercises can help evaluate the effectiveness of those changes, he said. 

“Through creating these feedback loops, organisations can keep the board informed about gaps and improvements to win future budget allocations and continually improve their defences to reduce cyber risks and to become more mature and resilient,” he added.