Executive Insight by George Patsis | Published on SC Magazine UK
There is always a 900-pound gorilla in the room at international cyber-security conferences such as this year’s InfoSecurity Europe 2018 in London. It is the glaring but generally unspoken fact that the cyber-security industry has not only failed itself and its customers. It has managed to continue to do this consistently and spectacularly over a period of years.
Recent evidence includes the recent Dixons Carphone security breach that exposed the customer details of 5.9 million payment cardholders and 1.2 million personal data records. The hackers attacked the systems of Currys PC World and Dixons Travel stores about a year ago and, had the EU’s General Data Protection Regulation (GDPR) been in force, the company would be liable for swingeing fines. There are doubtless countless other UK firms with similar, if not more dangerous skeletons in their cupboards, as a result of a widespread failure of the cybersecurity industry.
The 19,500 industry professionals from around the world who attended InfoSecurity Europe were effectively offering sticking plasters to cover a gaping wound. Contested assessments on the cost of cyber-attacks range from approximately £ 300 billion for 2014 to more than £2.1 trillion by 2020 or £6 trillion by 292. But while cyber-crime is rising, so is year-on-year spending on cyber-security. Clearly, something is failing.
Instead of investing their hard-earned cash in buying the latest solution to the latest threat and opting for the latest anti-ransomware security or whatever is flavour of the month, companies should take a less patchwork approach. Rather than purchasing expensive security that addresses only part of the problem or hiring an expensive and highly-paid in-house security team, companies should outsource the problem and put themselves in expert hands.
Observing the ever-changing cyber-threat landscape effectively is a 24/7 365 days a year job. Constant professional vigilance is essential in knowing where the next threat is coming from in order to prevent or contain it effectively. It is then crucial to evaluate the relative level of risk in order to know where best to deploy security resources. External advice should always also be sought when containing a cyber-attack and limiting its consequences.
Although cybersecurity-as-a-service has been on offer for almost a decade, it is rapidly becoming an essential corporate survival tool rather than merely a convenient solution. Cloud-based operations, online customer interfaces, largely online corporate partnerships and all the other new digitally-based ways of managing data and running businesses yield an unending series of openings for cyber-criminals.
For some time now, even relatively unskilled threat actors have been able to take advantage of the latest emerging loopholes in corporate security by purchasing one of the many cyber-crime-as -a-service products on offer on the Darknet. Specialist Darknet offerings such as the new generation of ransomware-as-a-service now offer their services for free in exchange for a slice of the threat actor’s profits.
The cyber-security industry’s reluctance to supply its increasingly diverse and complex solutions as a comprehensive service has left it lagging severely behind the criminals, who have been laughing all the way to the bank for years.
But the industry still has a chance of catching up with the cyber-criminals and, hopefully, overtaking them. At InfoSecurity Europe 2018, there was a gradual spark of understanding that a far more holistic approach must be taken to deploy the latest digital technologies effectively.
Emerging Integrated cyber-risk management is all about integrating people, process and technology while managing risks in real time. It is a mindset shift rather than another product.