Think Like a Bad Guy

Cybersecurity is a growing concern. While organisations have been getting much smarter about cybersecurity in recent years, the bad guys seem to be getting better, faster.

Evidence suggests that recent improvements in cybersecurity are not keeping pace with the growing sophistication of motivated attackers. Research by Accenture found that the average organisation faces 106 targeted cyber-attacks per year, with one in three of those attacks resulting in a security breach.

In effect, that means the average organisation suffers two or three security breaches every month, according to the Accenture High Performance Security Report, an international study of 2,000 security executives representing companies with revenues of $1bn or more.

And more than half (57pc) of executives admit it usually takes their organisations months to detect targeted breaches. Part of the challenge is the current approach taken to cybersecurity by many organisations. The market is very fragmented, with a focus on providing individual “point solutions” which prove effective for a specific weakness but, at the enterprise level, this starts to resemble attempts to plug individual holes in a sieve.

Kelly Bissell, managing director for Accenture Security, argues that the time has come for a “new approach” to cybersecurity – “one that protects the most important business assets of the organisation from the inside out and across the entire industry value chain, from the oil rig in the North Sea to the petrol pump on the forecourt”.

It’s like chipping away at an iceberg: you can’t do the whole thing at one time, so do the things that are most important first and then move down the line.” Kelly Bissell, Accenture.

Mr Bissell believes that businesses need to be “surgical” in their approach to preventing and detecting cyber-attacks. “Better cybersecurity is not just about making more investment or paying greater attention,” he says. “It’s applying security techniques and technologies to the company’s most important business assets and ensuring we understand what we’re protecting and why.”

Companies should take both a short- and medium-term approach to cybersecurity, he continues. “So the first thing they need to do is lay out their key assets that differentiate them in the marketplace, and protect those assets first, putting in place protective and detective controls. Then they can work through their other assets.

As Accenture’s study highlights, organisations cannot afford to stay still when it comes to cybersecurity. They need to keep innovating, in the same way that their opponents are. This may require them to redirect resources to new strategies and programmes, and to explore how a third-party vendor could bring benefits in terms of a fresh perspective, market knowledge and specialist expertise.

For example, a vendor could help them to assess their cyber-readiness through incident scenarios, analysis of competitive and geopolitical risks, peer monitoring and evaluation of whether a security-minded culture exists at organisational level. It could also compare the organisation’s investment in cybersecurity against industry benchmarks, as well as its business objectives and evolving cybersecurity trends. The value of having an external perspective is made clear by the report’s finding that internal security teams discover just 65pc of effective security breaches.

Chief security officers can spread the message that security is part of everyone’s daily job – Kelly Bissell, Accenture

The report makes six specific recommendations for businesses looking to develop a more precise cybersecurity strategy. These recommendations range from defining exactly what success looks like, and pressure-testing security capabilities with simulated hacking, through to prioritising the protection of key assets, and getting board-level acknowledgement that cybersecurity is critical to preserving the value of the company.

A further recommendation focuses on the principle that security is a shared responsibility. Given additional budget, only 6pc of UK executives say they would invest in cybersecurity training for their staff.

Mr Bissell believes that chief security officers have an important role to play in this respect. “They need to understand all the different divisions within the company and support the company to make risk-based decisions,” he says. “They can spread the message that security is part of everyone’s daily job. And if they do that, they can help the company to be more secure.”

Finally, the study recommended that businesses take a more innovative approach to cybersecurity by investing in state-of-the-art technology that allows them to outmanoeuvre their adversaries instead of funnelling additional money into existing programmes. This will require a change of mindset for between 43pc and 56pc of UK respondents who revealed that they would spend any extra budget that they receive on the same things they are doing now.

Nevertheless, Mr Bissell believes that by investing in the right resources and thinking creatively, security teams can get the better of their cyber-opponents.

“They need to think like a bad guy,” he suggests. “They need to think about how their company might be attacked and think of ways to protect against those potential vulnerabilities.”

Source: Daily Telegraph