Earlier this year, the UK’s flood defences were tested to their limit, and equally businesses today are being forced to hold back a flood of increasingly sophisticated security attacks to protect information assets. Cybercrime, like the weather, is often unpredictable, but organisations can survive this flood by making risk-based decisions that focus resources in the right place at the right time to prevent costly breaches to their defences.
Coverage of serious flooding to many parts of the UK dominated the headlines this year. There are still heated discussions between those who argue that more should have been invested in planning and delivering proper defences, and those who claim that the amount of rain in such a short period meant there was little more that could have been done to prevent the devastating effects.
Organisations that have a clear understanding of the value of their information assets and build robust security defences in line with business objectives, put themselves in a more competitive and solid position – simply by adopting ‘active risk management’.
Most companies now believe their exposure to cyber risks is increasing – but only 21% have taken action to mitigate these risks (July 2013, FTSE 350 – ICSA Boardroom Bellwether report – ICSA Group). If profits were falling or customers leaving, no business would ignore these signs, and yet when it comes to security risks, they don’t always respond with the same urgency.
However, unlike falling profits or customer dissatisfaction, when it comes to analysing information risk, it is much more difficult – there are no flashing lights or obvious warnings to spur a business into action. Unfortunately, unlike a flood, you cannot see it coming. To have an informed conversation about risk, organisations need to understand the value of their assets in real and practical terms – terms that grab the attention of the right people and prove ROI.
Risk is not always bad though. It might be important to fuel innovation or drive business growth, so to proactively manage risk must be in line with business goals – helping a business to grow and develop with a full understanding of the associated information security risks.
Managing the risk of advanced persistent threats
There is increasing uncertainty around how to manage so-called advanced persistent threats (APTs). They may not act like a flood in the same way as DDoS attacks can overwhelm an organisation’s network, but many companies fear that they are unable to give their board the guarantees that they have not already been the victims of an APT.
If an attacker targets a business, this is not random like the weather! They want something and will use everything to get it. The threats of today are characterised by the way they blend and use available resources to compromise systems. This can include targeting employees with what appear to be legitimate requests, based on information collected on the internet, including friends, interests and where they work, along with the company’s annual reports and news.
Attackers use this information to craft highly credible emails and links to get that one, all-important click or trick hard-working staff into sharing confidential information – once that’s done, they are in. This is how many of the high-profile attacks on robust multinational companies bypassed traditional defences. This is not a flood, but a targeted drip feed into an organisation.
New attack vectors require new ways of testing defences
Organisations need to know exactly how well equipped they are to face this constantly changing threat landscape and actively manage their risk. Working closely with information security and risk specialists they can achieve greater visibility and understanding. They can put themselves in the position of potential attackers; understand what attackers can learn about them online and how their employees might react to unsolicited emails and web links. Armed with a comprehensive picture of where they are vulnerable, organisations can then put their investment in the right places to actively reduce risk while maintaining business as usual.
Not unlike the costs of clearing up after the recent floods, the further an attack progresses within an organisation the more it costs to recover from it. Unlike a DDoS attack, where it is possible to predict the real and measurable cost to the business in thousands of pounds lost per second in downtime, as well as impacting productivity, business transactions and customer satisfaction, the potential costs of an APT are much harder to quantify. So understanding how APTs work within an organisation and actively managing the risk can have huge competitive and cost saving benefits.
The discussion about whether the right investments were made to protect our country’s infrastructure and people’s homes from the recent weather conditions will continue for some time. But for organisations determined not to open up the floodgates to cyber attacks, active risk management gives information security and risk management professionals the context and the intelligence to ensure they invest in the right defences. It can also reduce overall IT spend and build information security and risk management maturity into the foundations of the business to provide competitive advantage and future growth opportunities.
By Tom Salkield, Professional Services Director, NTT Com Security