The real cost of a slack cybersecurity strategy
Mon 3 Oct 2016
Mandana Javaheri, CTO at Savvius, looks at the increase in financially-motivated cybercrime and the immediate and long-term repercussions for enterprise and the security sector…
While detection and mitigation techniques have improved drastically in enterprise, attackers continue to target businesses with increasingly complex campaigns over a growing landscape of platforms from mobile and cloud, to the Internet of Things (IoT). Motivation behind these attacks varies, but one key driver for cybercrime has really come to the fore – the ease of monetization.
At the turn of the century, most cyberattacks weren’t economically motivated because it was very difficult to make any money from assaults. There was an occasional nation-state industrial espionage campaign but they were rare. However, the emergence of Dark Net bazaars such as Silk Road, and the global cryptocurrency Bitcoin changed the landscape forever.
Now it is possible for attackers to invest substantial effort into stealing credit cards and identifying information with the assurance that they will be rewarded for their efforts.
Damage to a company’s reputation, especially a financial institution or a medical facility, may lead to a lack of confidence that is irreparable
While law enforcement has stepped up its efforts to shut down these global marketplaces and made some highly-published raids and arrests, there is so much money available, and the risk of capture is so low, that there isn’t any reason to anticipate this trend reversing. And, the criminals continue to innovate on the economic side as well as the technical side of cybercrime. Ransomware, for example, blossomed overnight into a billion-dollar revenue source for cyber criminals.
For companies where it has become public knowledge that they have been breached and some significant asset has been compromised, there are both immediate and long-term repercussions. In the short term, there may be the economic costs of compensating the people who have been harmed. In the longer-term, the damage to a company’s reputation, especially a financial institution or a medical facility, may lead to a lack of confidence that is irreparable.
Investing in cybersecurity
Professionally, cybersecurity is just like any other risk management activity of an enterprise. It requires a multi-tiered plan of prevention, detection, and response. At the business level, it’s really no different than the way an enterprise deals with risks from fire, fraud or a variety of other challenges. Like the investment a company makes in a fire alarm/sprinkler system, an organization needs to invest in cybersecurity infrastructure. And, in the end, all risk mitigation strategies eventually look to insurance.
Achieving a commercially acceptable level of risk is a challenge, and there aren’t yet enough organizations at that level to be able to establish a baseline. In the past two years, we have seen numerous published breaches in each of the high-risk areas and the root causes of those breaches – both technical and human – have yet to be resolved. On the positive side, there is a greater degree of awareness about the consequences of cyberattacks which has led to a greater degree of investment.
Sectors with monetizable assets like finance, health care, government, and, most recently, retail are all under serious attack and are particularly motivated to explore approaches in multiple directions. On the other hand, areas like manufacturing or food services aren’t feeling as much pain and are likely to make the minimum investments.
An encouraging trend that may support greater involvement and investment in cybersecurity is the increasing availability of automated tools. All departments in modern corporations face the issue of recruiting and training competent employees who face ever more complex business environments and mountains of data.
One approach that has been successful is to use the tools and techniques of data science to make these jobs more tractable, by making the information simpler to understand and easier to manipulate. In departments like Finance and Customer Service, these new approaches are called business intelligence.” In security, this emerging area is called “security analytics”.
While today, much of security analytics is just better filters to reduce data volume and better presentation tools to make the information easier to understand, the future promises to use tools like neural nets and big data behavioral analysis to pinpoint and respond to attacks while they are happening – even attacks never seen before, so-called “zero-day” attacks.
Today, the tools available for the security professional require years of training and deep understanding of the underlying technology. But, the promise of security analytics is that it will make it possible for even junior security analysts to defend the company.