In this article, Mark Hughes, President of BT Security, discusses why the industry is now in an arms race with cyber criminals and what approaches businesses can adopt to ensure a holistic approach to security is front and centre.
As the threat of cyber attacks grows, businesses are struggling to keep pace with the constantly evolving tactics of cyber criminals, hacktivists, state sponsored attacks and even cyber terrorists. Too often, boards have become aware of the importance of robust cyber defences after a breach or hack. In a joint BT and KPMG report “Taking The Offensive”, nearly one third of CEOs listed cyber security as the issue that has the biggest impact on their business. Despite this, only half felt prepared for a cyber attack. At a time when attackers are moving quickly with an increasing arsenal of tools and techniques, the traditional approach to security isn’t fit for purpose.
Rethinking the threat
The pace of those that are targeting valuable corporate data information has reached the speed that requires a complete rethink of the security strategy. The threat is so considerable that last year the Chancellor of the United Kingdom announced a £1.9 billion 5 year investment to develop a national cyber plan. At an organisational level, forward thinking CISOs should approach the role with the mind-set of the potential hackers, whereby cyber security is a customer experience and revenue opportunity, not just a risk that needs to be managed.
Gathering intelligence and building out strategies should be an organisation’s first instinct. Both employees and clients provide attackers with access to internal systems and often the best way of detecting attacks is to understand how those stakeholders might be targeted. This approach puts organisations on the front foot by turning cyber preparedness into a competitive advantage rather than a cost.
Ruthless and rational entrepreneurs
The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. Ninety-six per cent of businesses surveyed in the recent joint BT and KPMG report admitted that criminal entrepreneurs could be bribing employees, while only 44 per cent confirmed they had prevention measures in place to tackle the issue. A further 95 per cent said staff could be vulnerable to blackmail, again with less than half (47 per cent) with a defence strategy. The twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by highly developed and rapidly evolving black market. It’s no exaggeration to describe them as ‘criminal entrepreneurs’.
Like any entrepreneur, the cyber attacker’s intention is to make money fast. A distributed denial of service (DDoS) attack for example can cost just $5 per hour to mount, yet more than $40,000 an hour to defend against. Attackers buy malware online, rent botnets by the hour, and compete for the best talent so they can inflict maximum damage. Their motivations have also changed: fame, notoriety, financial gain or political recognition are all common ‘trophies’, alongside the widespread media attention which often accompany major hacks.
Unlike conventional competitors, cyber crime entrepreneurs do not play by the rules. They are also undeterred by laws and regulations, perfectly content to damage the organisations they attack and exploit the customers who are often the ultimate victims.
With such high financial and reputational stakes, CEOs and businesses can no longer afford to sleep walk into a disaster. A report by the Department for Business, Innovation and Skills found that 90 per cent of large companies had suffered a security breach. If a company hasn’t yet been attacked, it is either extraordinarily lucky or living in the dark. When BT provided the communications network for the London Olympic Games in 2012, we repelled 11,000 malicious attempts every second and we had to fight off 200 million attacks in four weeks and that was over four years ago. In the last 18 months alone we have seen a 1000 per cent increase in cyber-attacks on BT.
The need for speed and agility
Organisations need to treat cyber criminals the way they treat challenger brands – by understanding and disrupting their business model. It is clear there is a challenge to develop a digital business model resilient enough for a cyber-attack and requires a strategy looking at the digital risks facing the business as a whole, not simply the information systems, but the customers and supply chains.
With 49 per cent of businesses surveyed in our report saying they were constrained by regulation it is clear that traditional compliance processes seem out of step with the new digital age – and adding more and more controls at the cost of flexibility and agility only increases not reduces risk. Businesses understand the importance of rapid action, but, as our research indicates, obstacles stand in the way of a quick response.
Across the UK, organisations, Government and academia must collaborate to outrun cybercriminals innovation. To do so, our own cyber security organisations need to be as creative and agile as their opponents, we need to commit to threat and vulnerability management, coupled with defence upgrades as new threats emerge. Threat intelligence capabilities are vital for companies to stay ahead of the game, to spot new trends and threats with a view to making sure they can respond. Given the pace of R&D in the shadow economy, businesses that don’t harness innovative technologies and approaches risk becoming obsolete. Here are some action points to help prevent this from happening:
- Demand evidence that your cybersecurity team is able to respond quickly and flexibly to changing threats and give them the license and the support they need to do so.
- Work with your major clients and third parties to exercise a major incident. You will need their cooperation if you are attacked and working closely in this way builds trust and transparency.
- Prepare for the worst case. Exercise your response to a cyber-attack and make sure you develop muscle memory. This will help you to respond quickly by understanding how an incident might unfold and how you might respond.
- Consider the role of cyber insurance in helping you mitigate the financial impact and access specialist expertise when needed. You won’t have all the skills you need in-house.
To find out more about some of the themes that Mark Hughes talks about, download this recently published report: Taking the Offensive.