[BreachExchange] 10 reasons not to innovate your cyber security
destry at riskbasedsecurity.com
Wed Feb 21 18:23:00 EST 2018
When was the last time you assessed your cybersecurity strategy? Given
today’s ever-changing security landscape, it’s probably been too long.
In this world of constant cyber threats, businesses can’t afford to be
complacent. Yet, despite the near constant stream of data breaches
making headlines, far too many organisations insist that their current
security model is good enough.
Dan Panesar, VP EMEA, Certes Networks, outlines 10 reasons businesses
give for maintaining the status quo.
1. You’ve never been hacked before, and you’re confident you know
where you critical or sensitive data is at all times. Why change
something that’s working today?
No business can ever be 100% sure where its data is or that it hasn’t
been compromised in transit. Failure to recognise this issue is a
board level responsibility.
2. You tick the boxes when it comes to GDPR, PCI DSS, HIPAA (and other
regulations) so you’re secure. No company that has met their
compliance requirements has ever been hacked, right?
Taking a compliance led approach to securing customer data will cause
a fundamental vulnerability within the cybersecurity infrastructure,
simply waiting for hackers to exploit. Compliance is important,
clearly, but it should be a subset of the overall, continuously
evolving security strategy, rather than an end-point goal in itself.
Organisations are understandably concerned about the financial
penalties associated with failing to achieve regulatory compliance.
But take a step back and consider the financial implications of data
breach, of high profile customer data compromise. That is a far more
significant cost and an event that will have long term repercussions
on customer perception and loyalty.
3. You’re happy that your WAN provider has the necessary controls in
place to keep your data secure as it moves between your locations.
They said you could trust them, so why wouldn’t you?
WAN providers can’t guarantee the security of their environments, and
the security of your data is ultimately your responsibility. What’s
needed is a security-first ‘Zero Trust’ mindset that protects data
before sending it onto the carrier network.
4. Your board is telling you that IT costs need to be reduced, so the
easiest thing is to cut the security budget; it reduces cost without
reducing functionality. But, just in case, you increase your Cyber
Cyber-Security insurance policies require customer diligence. You
cannot buy a security policy, not deploy security and then expect a
More significantly, think about the cost and loss of earnings
associated with the fallout of a data breach…..
Now rethink cutting your security budget.
5. Your network is secure so you don’t need to secure your data in
motion. After all, you own the entire infrastructure end to end,
wherever your data goes.
When 70% of all breaches are as a result of internal user compromise,
this is a false sense of security.
Not only are current security models broken, current trust models are
also and must be realigned and rebuilt. The only way to do that is to
change the emphasis. Shift the focus from infrastructure to user and
it doesn’t matter how complex technology has become, or becomes in the
future, the security model remains simple and hence both manageable
Moreover, thether the environment is owned by the business, third
party, or in the cloud, when access is based on users and application,
only a user with cryptographic keys and credentials gains access. It
is that simple.
6. Your trusted advisor is telling you not to worry; you can do
encryption on your firewall, switches and routers for less money and
achieve the same result.
Turning on encryption in a network device WILL degrade the
performance, typically by 50%. The reason lies in the way encryption
has been deployed to date.
In order to address the continued friction between operational goals
and security imperatives, organisations need to decouple encryption
from the infrastructure completely. The answer is Layer 4 encryption.
Layer 4 encryption is dedicated to providing the level of trust of
data in motion and applications moving across the infrastructure, yet
avoids any impact on network performance and complexity. Furthermore,
Layer 4 operates in ‘stealth’ mode: it is only the data payload that
is encrypted – not the entire network data packet.
All of the complex management and maintenance problems created by
traditional encryption deployment are removed. The data in motion is
secure without adding complexity or compromising operational
performance of the infrastructure.
7. You’ve been advised that don’t need encryption because your
firewalls will keep the hackers out, or if not your Intrusion
detection will let you know immediately so you can stop a breach while
Current security thinking must move away from outdated thinking about
securing the perimeter, assuming that breaches can be ‘protected’
against, ‘detected’, and ‘reacted’ to. But with the average time to
detection being 120 to 150 days, depending on the source, this clearly
is a fallacy.
When it comes to data breaches, it is ‘when’ not ‘if’ it happens, so
organisations must think about how they can best ‘contain’ a hacker
from wreaking havoc on their data.
8. You prefer complexity over simplicity, and are happy to spend the
money on complex solutions and highly skilled staff to manage them.
You need to look at indirect costs as well as direct. The more
management you have the more you’ll spend.
9. Thought leadership and Innovation are not important. Why should you
look at doing something that you do today, but in a better, simpler,
more cost effective, more scalable way?
The hacking community is always trailblazing ahead. What’s more, the
game has changed; it’s no longer about the high profile, kudos-winning
breaches. Today’s hacking community is far more focused on the theft
of sensitive, customer data that will leave those affected with long
Cyber security must be a process of continual evolution: Just because
you feel protected today doesn’t mean you will be tomorrow.
10. Data compromise is something that happens to other businesses, not yours!
That’s what all the brands that have been in the headlines over the
past 18 months thought as well.
More information about the BreachExchange