With one third of business leaders apparently not intending to improve cyber defences in the next 12 months, our Editor’s Question for March is:
What message would you send to business leaders who have no intention of improving cyber defences?
Ned Baltagi, Managing Director, Middle East & Africa at SANS Institute.
With today’s cyber criminals doing anything and everything to stay ahead, the cyber security industry must continuously fight to keep pace.
The rising tide of cyber-crime means that every organisation needs to start taking cyber security more seriously and ensure they’re equipping their current and future work forces to help present a united front online.
Cyber criminals will not and do not make exceptions for those they target and organisations need to act accordingly.
While many organisations are investing more heavily in technical solutions to combat cyber criminals, this does not always extend to investing in the skills of their security staff.
Training should be a core part of every organisation’s cyber security strategy.
Without continuous training to stay up-to-date with the latest threats and defensive techniques, organisations continue to leave themselves vulnerable to cyber-attacks.
Digital transformation is a key theme today that is being driven by business requirements rather than IT.
Research firm IDC predicts that by the end of 2019, digital transformation spending will reach $1.7 trillion globally, representing a 42% increase from 2017.
There is no question that businesses recognise the need to invest in their IT infrastructures to create compelling, convenient and reliable digital services for their employees and customers.
At the same time, as we move business processes to IT platforms, we also need to ensure these platforms are secure.
Disruption to an organisation’s services, or worse still, a data breach, could cause irreparable damage to the brand and even movement of customers to competitors.
With this potential impact, can business leaders really afford to neglect cyber security?
The good news is that there has been a change in mindset in the last couple years and organisations today adopt a proactive rather than a reactive approach to cyber security.
I therefore believe that rather than it being a case of business leaders having no intention of improving cyber defences, the challenge lies in them either underestimating the threat to their organisation, or being constrained by IT budgets.
All evidence shows that the frequency and sophistication of cyber-attacks is growing and it is no longer a question of if but rather when an organisation will be attacked.
Just deploying a stack of defence technologies does not guarantee security and worse still, this false sense of security can result in incidents being overlooked.
The Ponemon Institute found that US companies on average take 206 days to detect a data breach.
So even if you have invested in the best security solutions, you need to ensure that you are constantly training and retraining your cyber security personnel in techniques such as continuous monitoring, intrusion detection, prevention and digital forensics.
In short, expect to be attacked and ensure you have the ability to detect and mitigate the threat.
Organisations that want to harden their security but are limited by their budgets should also focus on addressing the most critical aspects i.e. the systems and processes most likely to be exploited by attackers.
This requires your IT team to be well trained in vulnerability analysis and penetration testing.
Once the most urgent vulnerabilities have been addressed, the company can optimise the utilisation of its existing cyber security investments by investing in the skill sets of its IT team.
Well trained security professionals are better equipped to configure and manage existing security investment to increase their effectiveness.
The tools and security systems available today can mitigate the large majority of attacks, so the risk actually lies in the organisation’s failure to implement a cyber security strategy that addresses the two remaining fundamental pillars of cyber security – processes and people.