Questions answered by Adrian Barrett, CEO of security firm Exonar.
1) Why has cyber-risk risen up the agenda?
I think any CEO - or head of a government department, for that matter - is pretty disgusted at the notion that their hard won competitive advantage can be so easily eroded by these sorts of attacks. Although we hear much negative press regarding the attitudes of government in the media coverage of security issues, this is a rare case when I think they are to be applauded. Security experts often find it difficult to get the ear of the board until after the worst has happened, but the attitude seems to be changing to one of 'when' will it happen to my organisation, not 'if'.
2) Is this surprising?
I have more a sense of relief than surprise. We need to get on with the task of reorganising our approach to security and the board and CEO are crucial to making this a reality. We're not there yet though, there are still companies for whom this is not being taken very seriously.
3) Should it be higher on the agenda?
Yes, I think it should - but I would say that. Really, this issue stands out as one of the few that could remove a company's ability to survive at all. The results of such an attack would certainly imply a significant loss of customers. If we're doing our jobs correctly, you'd hope that this issue will move down the list of priorities, not because it's any less important, but because we're successfully mitigating the risk as security professionals. Most companies I work with view risk, including cyber-risk, in a fairly rigid way. That is, they simply measure it in terms of whether they are over or under insured against this risk compared to their comfort levels and competition. Right now, pretty much everyone is under insured.
4) What defines the value of an organisation?
Well of course, that does rather depend on the nature of that organisation. However, speak to almost any CEO about his or her company's value, and their company's knowledge or intellectual property as well as their reputation will be very close to the top of the list. Intellectual property isn't just product designs for manufacturing companies, it can just as likely be the business processes, cost models and methodology of operating and being competitive, so it applies to services companies like banks and legal firms as well.
5) How do traditional security controls measure up?
They are trivial to circumvent. Show me information that is on a system ultimately connected to the Internet or used by people and I'll show you a way to get in. Firstly, the perimeter has all but vanished for most companies, even if they think they still have one. Cloud based services like Dropbox and Google drive, plus social media networks and BYOD policies mean that our information will inevitably be beyond our immediate control. Companies that resist this changing landscape find that people will adopt these services behind their backs if they're not embraced by the company, so refusing to participate really isn't an option. Secondly, regardless of what technical defences we put in place, our people are always going to be our biggest un-patched vulnerability. It's hard to visualise an organisation that couldn't be penetrated with a skilfully crafted spear-phishing email. In our own research, we find that approximately 60 per cent of people will click on a link in a spear-phishing email. That means as an attacker, I only need to send a few emails with a zero-day vulnerability attached and I'll be assured of success.
6) What is the best defence?
Perimeter and vulnerability based security is never going to cut it against targeted attacks and the reason is because that whole ethos leaves the defender one step behind the attacker. Vulnerability based security can only ever defend against known vulnerabilities or, at best, attack methodologies; therefore, you'll always be behind in the arms race. As an industry, we've been talking for several years about information centric security - understand what company information is valuable, where it is and why it's being used. Some of the enabling technologies on the market, such as big data and machine learning, have at last made this approach practical. The right model is to assume an attacker can get in as history has taught us this is a safe assumption. Taking this approach means you must understand where your valuable information is in order to effectively protect it.
7) Are we seeing a rise in successful attacks? If so, why?
Undoubtedly yes. A few years ago, our opponents were skilled individuals or gangs of criminals. Now they are hundreds or thousands of people with the resources of nations backing them. Doing the same thing as we've always done, but a little better, is a fatally flawed way of defending against these attacks. Our approach must become Information centric or the attacks will continue to be successful until there's nothing left to take.
8) What are the biggest threats?
Ask a CEO what information would be most damaging to the competitiveness and reputation of his or her organisation. An attacker having access to that information is the biggest threat, it doesn't really matter what form the attack comes in, because as sure as night follows day, the next successful attack will be the one you weren't prepared for.
9) What is the most effective way to stop these threats/attacks?
There are three fundamental steps to any successful cyber-attack. 1. Penetrate. 2. Discover. 3.Extract. So, an information centric approach allows you to reduce the surface area for attack while bearing in mind that your biggest un-patched vulnerability is the people you work with; ensure your information is well guarded and not too accessible; and then you are able to spot when information is being exfiltrated.
10) What steps must management take to reduce risk?
Take it seriously! Honestly, it isn't impossible or impractical to reduce the risk to a reasonably acceptable level. Empower your Security team as business enablers. Get them talk to the business and find out what they value in their area. Make security everyone's job and make it cultural. And lastly, don't throw the baby out with the bathwater, if you lock people down too much, they'll just find a way around the control and your organisation will be less secure as a result.
Image: Flickr (infocux Technologies)