Sergey Nivens - Fotolia

How companies can fend off cyber attacks

Organisations should map IT assets to business strategy and adopt a proactive cyber security programme, says Centurylink’s chief security officer Dave Mahon

This article can also be found in the Premium Editorial Download: CW ASEAN: CW ASEAN: How managed security services help to reduce cyber risk

The odds may be stacked against victims in the growing number of cyber threats, but enterprises can still prevail if the right safeguards and practices are in place, according to a top cyber security expert.

Speaking to Computer Weekly on the sidelines of RSA Conference Asia-Pacific and Japan, Dave Mahon, chief security officer at CenturyLink, said companies are either not investing in cyber security or making minimal investments.

“It’s not that the cyber security problem can’t be addressed,” Mahon said. “Some corporations have decided to under-resource a solution, and they feel frustrated partially because they don’t know where to begin.”

That the cyber security industry has been peddling a broad range of cyber security products and services does not help either, Mahon said. “You’re looking at 25 to 35 suppliers and everyone is saying, ‘If you buy this from me, it’s exactly what you need’.”

Mahon said this confuses business leaders who may not spend on cyber security and could, in turn, live with the feeling that they are unable to cope with its demands. Compounding the matter is the fact that many companies may not have the right leader to guide them.

To have a chance of success in fending off cyber attacks, Mahon called for companies to start a cyber security practice that leverages their competitive instinct.

“If you were in the real-estate market, you wouldn’t always want to be behind a competitor that was ahead of you. You can bring that same attitude to your security programmes,” he said.

Mahon said building a good cyber security programme starts with assessing an enterprise’s corporate strategy, such as its business objectives, why it exists and how it goes to market.

Then it should map its IT assets against that strategy and ascertain its cyber security risks. “Will your computing resources enable you to get to where you want to go, with minimal interruption from threat actors?”

“If your website is critical to your success, you can’t have your websites taken out by a DDoS [distributed denial of service] attack, so you need to have to plan to minimise such attacks.”

Mahon said organisations often struggle to map their assets against their business strategy, because of the multitude of cyber security suppliers who do not always take responsibility in the aftermath of a cyber attack. “It’s like building a house with 35 contractors who say they didn’t do it after a window is broken,” he said.

Read more about cyber security in APAC

Mahon’s analogy also underscores the reactive approach that organisations in the Asia-Pacific (APAC) region usually take towards cyber security, where there are “lots of fire drills”.

“But as you live that life for a while, you will start to make some investments and be somewhat more proactive, blocking mainstream attacks regularly,” Mahon said, adding doing so would enable companies to stay unscathed from attacks such as WannaCry.

More mature security programmes usually take a more predictive approach, with analysts looking into possible ways that a piece a malware could evolve to overcome security measures, Mahon said. This usually entails entering the dark web and hacker forums to gather intelligence information.

“Most corporations in the US are slightly above reactive and almost proactive, while those in APAC are mostly reactive and are trying to get into the early stages of being proactive,” he said, noting that the high cost of lawsuits arising from data breaches in the US has driven companies there to be more proactive.

Being proactive, however, does not mean companies should adopt an offensive cyber security strategy. Mahon believes any offensive strategy should be left to governments, because hackers typically compromise someone else’s infrastructure, such a healthcare network, and use it to attack targeted corporations.

“If you were the corporation being attacked and took down the hospital’s server, you would have committed a crime and caused damage,” Mahon said. “But corporations can be offensive by providing information to government agencies that can go do that.”

Read more on IT risk management