Another year is upon us, and we take time to review what happened in the world of internet security threats in 2014, what new threats could take shape this year, and how best to protect your information from this growing global threat.
Last year saw an unprecedented rise in coordinated internet attacks, despite record levels of money pumped into IT security by corporations, governments, and individual users- estimated to be $71.1 billion (US) in 2014. This year, that total is expected to jump to $76.9 billion.
"Ironically, despite this enormous commitment to keeping our information safe, successful cyber-attacks cost the world economy between $375 and $575 billion (US) in 2014, and the number of attacks was up 48% to 117,339 attacks a day."
The primary suspects break down into three general categories:
Rogue Nation-States: Their motives are self-evident; nations utilize cyber-attacks to steal sensitive information from rival governments in order to apply it to their own political and technological agendas. Their tactics are hard to trace, making it extremely difficult for victim nations to definitively point the finger in their direction.
Cyber Criminals: The most common of the cyber attackers, these individuals and groups are attacking to obtain personal information from companies and individuals for financial gain.
“Hacktivists”: These are persons or groups who commit cyber-attacks against governments or corporate organizations in an attempt to cause disruption or embarrassment in order to fulfill personal, political or religious agendas.
Billions of dollars invested in IT security have not been effective?
So why is it that the billions of dollars invested in IT security have not been effective in stemming the tide of successful cyber-attacks? Many IT experts feel there are common misconceptions in corporate thinking that increase the chance of companies becoming the victim more frequently:
1. The concept of “100% internet security”:
100% percent internet security is neither feasible nor the appropriate goal. Nearly all companies and individuals will experience some form of information theft. Once you understand that perfect security is an illusion and that cyber security is “business as usual,” you also understand that more emphasis must be placed on protecting your most important information assets, in addition to improving detection and response capabilities to identify and address issues as they arise.
2. That optimum security is dependent upon the most expensive IT security technology.
The world of cyber security is full of suppliers offering products that enable rapid detection and repulsion of intruders. These tools are essential for basic security, and are a must for any IT infrastructure, but they are not the basis of a holistic and robust cyber security policy and strategy. The investment in technical tools should be the output, not the driver, of cyber security strategy.
3. That you need “bigger guns” than the hackers in order to win the cyber crime war.
The fight against cyber- crime can’t be won if it is viewed solely as an “arms race” with attackers; they are constantly developing new methods and technology, forcing companies to keep investing in increasingly sophisticated tools to prevent attacks.
Managers need to understand what types of attackers their business attracts and why and assess their own risk profile and prioritize policies, procedures and controls based on that risk profile. A strong IT security plan needs to be tailored to your biggest risk factors.
4. That cyber security compliance is all about effective monitoring.
Only an organization that is capable of understanding external developments and incident trends, and subsequently uses these insights to inform policy and strategy, will succeed in combating cyber- crime in the long term.
Effective cyber security policy and strategy should be based on continuous learning and improvement to augment the company’s program and protect their highest value assets, not simply committing to a reactive, “monitoring-based” approach to threats.
Cyber security should not be compartmentalized into one department, it should be adopted as part of your organization’s cultural mindset. While it is often seen as the sole responsibility of an IT team, this can result in a false sense of security and may give the broader organization the mistaken idea that it’s not their problem.
The real challenge is to make cyber security a concern of the entire organization; cyber security should also be integrated with the company’s HR policy. By educating your employees at every level regarding best practice in maintaining the integrity of your company’s information, you drastically reduce the capability of cyber criminals.
- Source: Gartner's Security and Risk Management Summit, London, Sept 2014.
-Source: Net Losses: Estimating the Global Cost of Cybercrime, McAfee Center for Strategic and International Studies, June 2014
-Source: PwC’s 2015 Global State of Information Security Survey, 2014.
-Source: Notch & Buffomante: “The 5 most common cyber security mistakes” KPMG, 2014