We need a different attitude towards cyber security
When you look at security through a customers’ lens, complexity and fragmentation is one of their greatest enemies. Unfortunately, the security industry has, over the years, made this incredibly difficult for companies.
So how can we make things easier for them?
In our annual cyber security report, we identified that 55% or organisations across the world are using between 5 and 50 different solutions (some are using a lot more). The issue here is that a lot of these solutions weren’t necessarily designed to work together. Instead, they served an immediate need at the time.
However, we are now working in new and evolved ways:
- Users are accessing your network from their own smart devices, from wherever they are.
- Corporate apps, servers, and data are in the cloud.
- Devices that don’t even look like computers are connecting to your networks (the growth in Internet of Things devices).
Given this context, businesses are now facing the challenge of having a patchwork quilt of old and new technologies, with a significant amount of legacy IT, and multiple security vendor solutions.
A lot of companies have tried to solve the problem of cyber security by throwing unconnected technology at the problem, without a clear strategy in mind.
Unfortunately, whilst the intent is good, this approach creates gaps, management headaches and inefficiencies that attackers can exploit. I.e the very opposite of what they were trying to accomplish.
Each new solution comes with another management interface. Each new solution demands human resources, management hours to set up, set policy, respond to alerts and it’s not always clear whether the extra security outcome you gain is worth all the extra effort you are putting into managing that solution – rather than focusing on bigger problems elsewhere.
You may have added complexity, without much overall incremental effectiveness.
Because of the way we have evolved the way in which we work, we now need a real sea change in the way we think about cyber security. We can no longer continue down the same historical route of ‘got a problem? Buy a box’. Simply put, this approach is working against us.
It’s also a situation which isn’t helped by the fact that security is still seen as primarily an ‘IT issue’. According to the Cisco Security Benchmarks Study, UK organisations don’t strongly agree (as much as other countries) that line of business managers are engaged with security.
This is a real problem, because it often means that security often gets “bolted on” rather than embedded in a company’s ecosystem; meaning you’re not able to grow as quickly as you would like (often businesses find themselves going back and fixing things, due to cyber security concerns.) The attitude in the UK is, overwhelmingly, “Security is IT’s problem.”
That has to change…and quickly. Under GDPR, any organisation within an office within Europe will need to consider security and privacy through out its entire life cycle. Simply bolting security on at the end will be a case of non-compliance as you need to demonstrate that you’ve taken security and privacy seriously.
Thirdly, you’ve got the trend towards increasingly sophisticated campaigns carried out by the cyber criminals.
Hackers can now demonstrate a level of professionalism that challenges a business’s ability to cope. Whilst some remain motivated by the fun or challenge of it, and some do it for reputation purposes, more and more hackers are motivated by financial gain.
When cyber criminals break into systems, they are looking to steal credit card information, email addresses, usernames and passwords…or basically anything that they can sell onto a higher bidder.
Alternatively, they can hold businesses hostage with ransomware; a ruthless practice which grew by 300% last year. Ransomware encrypts your files without your consent—and only the developer of the ransomware has the key to solve it. Some forms of ransomware also spread across the network- such as the recent WannaCry outbreak which took advantage of a weakness in Microsoft’s SMB protocol.
Crucially, cyber criminals understand their targets—down to their likes and dislikes and how they conduct business. They know what businesses will pay for their data to be released, and they exploit any weakness they find ruthlessly.
In 2016, cyber criminals stole $81m directly from a bank in Bangladesh – and would have got away with almost ten times more, were it not for a crucial typo that aroused suspicion.
This issue here is that cyber criminals are agile, while companies can’t always say the same. Especially when they’re managing such complex environments…or ‘frankenstructures’ as we like to call them, as they’re so monstrous.
With all these challenges to overcome, it would be easy to take a fairly negative attitude towards cyber security; It’s messy, it’s never ending, and painful to deal with. The metaphorical trip to the dentist.
However, cyber security only becomes a business impediment when you don’t give it the respect it deserves. When you do, it actually becomes a key driver for your business.
In just three years, an estimated 50 billion new devices will be connected. Businesses have a huge opportunity, if they can seize this digital revolution securely. All it takes: a holistic approach to cyber security. Enacting layers of protection from routing and switching, to the cloud, to the endpoint and beyond.
The goal for businesses has to be to see threat once, and block it everywhere. Supported by this capability, organisations can advance their business more quickly and capture opportunities ahead with the confidence that they are secure.
To do this, you need security products that intentionally play nicely with others in the security stack.
This openness fosters “best of breed” solutions in the truest sense of the word—solutions that inter-operate. Cisco’s security products are open, which means that when you use them, they will solve incrementally more of your security problems.
We discussed the ‘top of mind’ cyber security challenges that businesses are currently facing in a Facebook Live broadcast from the InfoSecurity event (actually, we went down the road to Pizza Express to do the filming…for reasons that will become clear from the beginning!).
During this panel we talked about how to manage complexity, why Ransomware is still so prevalent, how businesses can best prepare for GDPR, how to deal with insider threats (the thing that most organisations have in common is staff, and staff are clickers!) and, crucially, how to put security front and centre of your business’ strategy. Well worth a watch!
If you’d like to find out more about how to use security to put your business on the front foot, take a look at our dedicated website.