Sergey Nivens - Fotolia

Think like attackers, says HPE cyber security strategist

Organisations need to think of cyber attackers as adversaries and competitors focused on stealing data, maximising their profit and minimising their risk, says HPE security strategist Tim Grieveson

Cyber defenders need to think more like attackers, according to Tim Grieveson, chief cyber security strategist at Hewlett Packard Enterprise (HPE).

“To protect ourselves effectively against cyber criminals, we need to understand their strengths and weaknesses,” he told customers and partners at an event in London.

Grieveson said, from an HPE perspective, protecting enterprise data assets is becoming increasingly challenging for three main reasons.

First, there are new and growing areas of exposure, such as the internet of things (IoT) and increased mobile connectivity.

“As people increasingly access corporate data on the move, enterprises need to think about that shift in terms of security,” said Grieveson.

Second is the growing complexity of regulations, especially for multinational corporations that typically have to comply with a wide range of regulations that apply in different parts of the world.

Third, said Grieveson, is the fact that cyber criminals are becoming much more sophisticated, innovative and professional.

“We are now seeing them professionalising their organisations to get massive returns on their relatively small investments,” he said.

Criminal competitors in the market

According to Grieveson, Cryptowall ransomware alone is believed to have netted more than $325m for cyber criminals using the malware to lock up victims’ data and demand payment for its release.

This professionalisation means that cyber attackers are building an ecosystem that reflects legitimate business in many ways, with people dedicated to recruitment, operational and logistics managers, sales and marketing, and research and development.

“Therefore, organisations need to think of cyber attackers not only as adversaries, but also as competitors in the market who are focused on stealing data, maximising their profit and minimising their risk,” said Grieveson.

“As a result, we are seeing what look to be legitimate organisations setting up in office spaces with all the required logistical support, but with the ability to move very quickly, which is why it is getting increasingly difficult to find and challenge adversaries,” he said.

Protecting data according to business value

An effective response, said Grieveson, has to include the right people and processes, as well as the right technology.

He recommended that organisations start by looking at what assets they have so they can understand exactly what information needs to be protected and what needs to be protected most.

“It is important for organisations to understand what needs protecting, where that data resides and its value to the organisation,” he said, advocating that organisations adopt a more data-centric approach to data rather than protecting specific devices and IT systems or trying to protect everything.

This approach, said Grieveson, enables information security professionals to shape their security strategies according to business value and business risk, which in turn makes it much easier for them to engage with the business and get the necessary investment to reduce risk.

Security across the enterprise

In the light of all these factors, Grieveson said organisations have to adopt a more comprehensive and co-ordinated approach to security across the whole enterprise. According to him, there are five key areas that CIOs and CISOs should be focusing on.

First, he reiterated the need to focus on people and processes, not just technology.

Second, he said there is a need to focus on the interactions between users, data and apps. “Security is not just about the endpoint, but also about user behaviour using analytics, and reviewing the code of all business applications,” he said.

Third, Grieveson said it is essential for enterprises to ensure that everything is secure by design. “Build security into everything. Have that conversation with your board, look at all your processes, look at all the products you are producing, and talk about business outcomes, not just security technologies,” he said.

Fourth, CIOs and CISOs need to assume they have either been breached or soon will be and ensure they have the capacity to identify and remediate breaches quickly.

Finally, he said organisations need to practice cyber resilience by running through attack scenarios regularly. “Most organisations need to move beyond disaster recovery plans to practising how to respond to attacks to ensure that they are resilient too, because recovery is not the same as resilience,” said Grieveson.

Read more about data breaches

Disaster recovery is about restoring normal business operations after a breach, he said, but resilience is about keeping as much of the business operating through an attack, which needs to be practised before there is an attack.

“Organisations that have practised cyber resilience will know what to do, how to respond and how to communicate internally and externally when an attack occurs,” said Grievson.

“Having a communication plan is vital because in some recent high profile UK breaches things have gone badly wrong, not because of the breach itself, but because of poor communication with customers, with one organisation losing more than 40% of its customer base,” he said.

Read more on Hackers and cybercrime prevention