Practical Advice on Minimizing Cyber Risk
Online and Mobile Safety What are challenges facing businesses and consumers as they venture online?
What are a few of the challenges when it comes to protecting a business or consumer from a cyber attack?
Peter Evans: Historically, businesses have taken a reactive approach to cyber security. Fast forward to today and this reactive approach is deeply embedded in the complexity of security programs. CISOs finds themselves reacting to external influences — vulnerabilities, attacks, compliance mandates, new security tools, board room directives — which in turn has resulted in inefficient, non-integrated solutions that are overly complex and costly to protect against the increasing risk landscape. This “outside, in” approach has left even long-tenured legacy organizations scrambling to find solutions to their security woes. A much more effective model looks inward, not outward, to improve security. From security culture to board room communication to evaluating each and every security tool and program, taking a diagnostic of your organization from the inside will yield much better results.
Philippe Courtot: The biggest challenge today is to make security transparent or nonintrusive.
Anna Convery-Pelletier: Customers rightly expect online services to be easy to use, always available and secure. Security needs to be built in from the start of any new service. But as more traffic moves to a mix of public and private clouds, it’s a much more complex environment. Every data center and its applications have different hardware and software security policies.
Shehzad Merchant: I think our entire mindset needs to evolve. We can no longer think that deploying a solution like an antivirus or a firewall is enough to secure a business or consumer. For enterprises, information security is no longer the responsibility of just the InfoSec team. Certainly, deploying products built for cyber security helps, but ultimately, the human element is the easiest element to compromise and is the biggest attack vector. We live in a world where the broader mindset is that deploying a cyber security product is good enough. To me, that’s the biggest challenge we face. The second challenge is the notion of a disincentivized producer and consumer. A consumer will buy a product based on the features, capability or utility of the product. You buy a home DVR for how many hours and how many programs it can record. You don’t ask nor pay for how secure that device is. Consequently, the producers of those devices are not incentivized to invest in the security of that product as that adds cost. This problem transcends both the consumer world and the enterprise world, and it is leading to a society that is increasingly insecure.
How can our readers overcome these challenges?
PE: Security needs a different approach and a fresh perspective. Readers can begin to take an inside-out approach to security, bucking the outdated, reactive model. Start with the needs of the business and risk priorities, not the external drivers. External factors change so quickly that reacting to each one is akin to putting your finger in a leaky dam — it may effective for a short time, but it doesn’t address the actual problem. The most effective security programs share many aspects: a holistic, bottom-up, culture-driven approach; one that has board-room buy-in and combines people, process, and technology to achieve the best results.
PC: Cloud-based solutions are a significant improvement that allow the cost of security to be absorbed across many users. They also make it easier to build security in, enabling protection that is far more transparent to users than traditional on-premises solutions.
ACP: Hackers never sit still. But the good news is the cybersecurity industry does not sit still either and continues to deliver innovative solutions and intelligence. Additionally, the cybersecurity industry is highly collaborative, sharing information and knowledge to enable organizations to identify, protect and minimize the impact of security vulnerabilities. It is imperative that security be a priority for all business operations, not just a tick in the box activity or, worse yet, an after-the-attack scramble.
SM: I think it starts with us realizing that cybersecurity is no longer just the responsibility of others. We all have to become more educated about it. We also have to look beyond compliance and truly look at risk mitigation. While compliance is good, we truly have to take cyber-risk mitigation seriously. The other point I would make is that relying on endpoints being secure is perhaps a losing strategy. As I mentioned earlier, the human element is the easiest to compromise. We have to put controls in other places that are less easily compromised, such as the network to which these devices are connected.