[BreachExchange] From denial to opportunity – The five stage cyber security journey
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Dec 5 20:14:25 EST 2017
https://www.belfasttelegraph.co.uk/service/sponsored-
articles/from-denial-to-opportunity-the-five-stage-cyber-security-journey-
36376915.html
The digital economy is brimming with commercial opportunity for those that
embrace new technologies and innovative business models.
Regrettably, one sector which has been quick off the mark to grasp the
opportunity is the criminal community.
Cybercrime is already more common than traditional criminal offences. The
global outbreaks of WannaCry and Petya earlier this year showed the
astonishing speed and scale at which even unsophisticated attacks can
spread and underlined how ill-prepared even some big organisations are to
protect themselves from criminal cyber activity.
Progress lies in accepting that cyber security is not a single destination
but a complex journey. Broadly speaking, there are five stages along the
way.
Stage One: Denial – ‘there is no threat’. The hard truth is that all
organisations face low-level cyber threats every day, even if they don’t
realise it. Criminals don’t only target big business but increasingly go
after SMEs and individuals, soft targets that can provide a pathway into
more valuable hunting ground.
Every business is a target and must put in place the basics – after all,
standard software updates would have defeated WannaCry at first contact.
Stage Two: Worry – ‘let’s spend on the latest security systems and
solutions’. The immediate reaction from the board is to throw money at the
problem, along with the appointment of a Chief Information Security Officer
(CISO).
However, technology isn’t necessarily the priority. Because the weakest
link is often human, education is a priority. Once people understand how
they fit into the big picture, they can protect themselves and the company,
and become a major line of defence.
Stage three: False confidence – ‘we’re sorted, bring it on’ There is no 100
per cent protection against cybercrime. For example, criminals are now
turning their attention to the supply chain, where contractors could
unwittingly unlock access to their client organisations. Then there is
‘whaling’, a highly targeted form of phishing aimed at impersonating senior
people and use their identity to undertake fraudulent financial
transactions.
The way to combat false confidence is to relook at policies, question
assumptions and investments, and identify emerging risks and issues.
Consider all possible scenarios – ransomware (would you pay a ransom, and
how?), data breaches, distributed denial of service attacks, sabotage and
fraud. Now is the time to plan and prepare for incidents and practise your
responses.
Stage Four: Hard lessons – ‘there’s no such thing as absolute security’.
Even the best prepared and protected will still experience a security
breach. Perhaps new security solutions are a poor fit with the existing IT
infrastructure, leaving vulnerable gaps. On balance, it’s better to go with
a security product that’s only 80 per cent right, but works with what you
already have and employees can use easily.
This is a good point to consider cyber security insurance. The act of
choosing/buying a policy will prompt you to think through potential
weaknesses and, if the worst happens, you’ll have access to expert help and
the resources you need to get the business back on track.
Stage Five: True leadership – ‘we can’t do this alone’. True leaders will
accept that this is how the digital world is, and set out to share
information and collaborate with their peers to make it ever harder for
criminals to succeed.
The cold reality is that every organisation is a target. The best defence
is not what you buy but how you behave. And businesses which treat cyber
security not a destination but as a journey will be strongly positioned to
protect themselves in the evolving digital economy.
Read more on the five stage Cyber security journey, plus much more in a
dedicated BT Cyber Security Supplement - 'Taking Cyber Security into the
Boardroom', published in the Belfast Telegraph's Business Telegraph on
Tuesday 5th December 2017 and available here - https://issuu.com/
belfasttelegraph/docs/bt_cyber_security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171205/ea9dc781/attachment.html>
More information about the BreachExchange
mailing list