It was announced recently that GCHQ, the Government’s electronic intelligence unit, is to advise Britain’s senior business leaders on how to oppose the mounting threat of cyber attacks.
There is a rising concern over the risk of cyber warfare and its affect on the British economy, highlighted by an estimated cost to the country of £27bn a year from attacks on computer systems, industrial espionage and theft of intellectual property. According to last year’s “Cost of Cyber Crime’ report the country’s business sector is the worst affected, losing £21bn a year in revenue.
As a result, businesses are starting to recognise that targeted attacks are a serious issue not just affecting their bottom line but also their customers, suppliers and employees.
A recent report by Gartner has predicted that the worldwide spend on IT security is in the midst of an 8.4 percent increase, and is expected to continue to rise through 2016. According to the report almost 45 percent of CIOs interviewed anticipated increases to their security budgets, while 50 percent expected their security budgets to remain level.
These results support the observation that businesses are beginning to wake up to the seriousness of cyber attacks… But are they making intelligent security investments in IT?
In order for businesses to protect themselves effectively they need to acknowledge and understand the threat landscape. However, to understand this landscape companies need to initially look within their organisation.
It is instinctive to look outside the business when trying to identify potential security issues, but the harsh reality is that the biggest threat to most organisations is internal.
Staff are unlikely to ever intentionally compromise network security, but there are any number of ways that their accidental behaviour may impact the security systems that have cost so much time and money to put in place. As well as guarding against external attacks such as hackers and viruses, it is essential to understand how employees interact with the IT network and to invest in measures that stop them from putting it at risk.
Bring your own danger
In businesses of all sizes and across all sectors, employees are increasingly bringing their personal mobile devices into work and using them to access corporate data. With this huge shift in how employees are accessing company data, businesses worldwide are in a state of uncertainty around if, and how, to protect their networks against the threats brought about by this influx of mobile devices.
Research which we carried out at Infosecurity Europe in the UK, and RSA Conference in the US revealed security practitioners in both nations strongly agreed that mobile devices pose a significant threat to their business (UK: 93%, US: 96%). Despite this however, a high proportion of each nation said they had no clear way of identifying “known’ mobile threats that could be attacking their network (UK: 44%, US: 47%).
Smartphones and tablets present IT departments with a common set of challenges: they carry and provide access to a lot of data; they can be easily lost or stolen; they transfer data over a network that can be easily breached; and they run applications that can be modified to carry malware.
Placing important data on a mobile device where it’s easy to lose or steal offers the same problem as uncontrolled laptops, only worse. With all mobile devices we have a situation where information is everywhere, getting auto-synched, distributed, cached, and downloaded. The technology is new and rapidly changing, so the potential for spyware is huge and all smart devices will continue to be a constant security concern now and in the future.
The importance of real-time visibility
Despite their best efforts, today’s complex networks and dispersed workforces mean it is very unlikely that most IT managers could honestly say they have a totally accurate, 360 degree view of their IT system at any given time. The plugging-in of an unprotected iPad is likely to go unnoticed for at least enough time for its vulnerabilities to be exploited and corporate information to be compromised.
The best line of defence is visibility. Even if security issues can’t always be anticipated and avoided, it is critical that they are identified and dealt with effectively before they are able to have a negative impact on the business. What an IT department needs is not just a set of rules and policies but this real-time overview of the network, outlining every key IT asset, where the potential vulnerabilities are, how devices are being used, and if it belongs to the company or is an external device. It is no longer sufficient to merely run patches on a Tuesday and a weekly scan of the network.
Deploying a vulnerability scanner like Nessus is a great start, but to ensure that the network is secure 24-7 a fully automated and managed solution is required as an organisation needs to know it is completely secured from the growing risks and threats it faces. Essentially, it is the difference between using a still camera and a video camera to record a live event – the choice is pretty clear.
This is not a problem that will resolve itself easily, as the complexity of threats increases with developments in both technology and the sophistication of attackers. It is important to recognise that it is not just the responsibility of IT though, and employees themselves, with the right education and training, can significantly reduce the frequency of security breaches. Effective training can help staff to identify suspicious emails and understand the dangers their mobile devices can carry. Informing everyone in the business from CEO to intern about how some of the attacks work and what to do once they have become compromised is no less important than installing the latest security software.