Talking Business
There are a few phrases that we hear very often from members of the Cyber Security profession. “There is no such thing is perfect security” is one of these – it means that no matter how much money / technology / talent you throw at the problem, and the closer you get to that mythical “100% prevention” marker, the smaller and smaller your incremental improvements will become. The reason for this is simple, and is summed up by the next oft-used phrase on my list, “In order to be successful, we must have a 100% threat prevention rate, whereas attackers only need to get through once out of a million attempts for their campaign to be a success.” The fact of the matter is that your security can successfully repel attack after attack, more and more advanced threats, for months and years, but the moment one gets through – the battle has been lost. And rest assured, a determined attacker will keep going and going until they get through.
My third heavily repeated phrase outlines a problem that senior level professionals often face, “the security budget is never big enough, because how can I sell projects to the board for investment that will give zero return, projects where the best case outcome is that nothing happens.” The trouble with security is that it requires significant investment, proportionate to the value of the business of course, in order to do what? To speculatively defend against an invisible, unquantifiable, unpredictable threat, a task that, as we’ve just said, is destined to fail eventually.
However, attitudes may be changing
Perhaps it wouldn’t be completely unfair to say that nothing motivates senior board members more than the realisation that they’re going to the ones very publicly taking the blame when a certain substance hits the proverbial fan. There have been many high profile breaches in the last year or two, and there is little doubt that some sectors have finally started to take the issue a lot more seriously than others.
One such sector appears to be financial services, where PwC report that “average information security spending is up 14%” over the last year. And it appears to be having an effect too – Verizon’s 2016 Data Breach Investigations Report found that the financial sector has a significantly lower ratio of security incidents to confirmed data breaches, at just 50%, compared to over 75% in many other industries.
One potential success story in particular stands out – the Telegraph recently reported that “Lloyds Banking Group has seen an 80pc to 90pc drop in cyber-attacks” over the last two months, citing “greater co-ordination with law enforcement agencies, and the implementation of extra layers of defences”. It certainly sounds like an outrageous claim, and perhaps the sceptical among us could think of a variety of other factors to attribute this to. However, let us concentrate on the second half of the sentence that I just partially quoted:
“online criminals and fraudsters have switched their attention to other industries.”
When one side of a set of scales moves in one direction, the other must move in the opposite, and you can say with some confidence that cyber-attacks have not decreased overall. So if attacks on those sectors now making themselves less easy targets are decreasing, then who is experiencing the respective increase? Clearly those who have been left behind.
When a thief scopes out a building to rob, or a car to steal, they generally go for the one with the least security, the least risk, the easiest target, even if that might mean a smaller payday. Of course there are exceptions, I doubt we’ve seen the last “SWIFT Heist”, nor will those with a vendetta likely suddenly back down.
Easiest Targets
Actually you don’t have to look far to see such increases. I already reported that charities, hospitals and schools were seeing dramatic increases in certain types of attacks, while small businesses are increasingly being targeted by spear-phishing campaigns traditionally thought of us the domain of large corporations. Similarly, the IBM X-Force 2016 Cyber Security Intelligence Index notes a trend of attackers turning their attention away from the financial services sector, in favour of attacks against manufacturing and healthcare companies.
Don’t wait until it happens, get in touch, have your defences assessed, and make sure YOU are not an easy target.
2-sec is a leading provider of security consulting services. These include penetration testing, PCI DSS, Cyber Essentials, PA DSS, virtual CISO and training & awareness.