A number of people have recently issued reports on cyber. One that I think is worth downloading and reading is Get Ahead of Cybercrime, EY's Global Information Security Survey 2014.
This is from the introduction to the report:
In our 2014 survey, we discovered that organizations are making progress on building the foundations of cybersecurity — and this progress is important — however, most respondents report having only a "moderate" level of maturity in their foundations. There is still a lot to do.
The survey also tells us that more organizations are looking beyond the foundations in their approach to cybersecurity. These organizations are adapting their cybersecurity measures to changes in their business strategy and operations (for example, a merger, acquisition, introduction of a new product, entrance to new markets, implementation of new software) and to changes in the external business environment. But we know that they also need to change their way of thinking to stop being simply reactive to future threats.
Perhaps the most important point made by EY is this:
[Only] 13% of respondents report that their Information Security function fully meets their organization's needs — this is down from 17% in 2013.
Some of the causes of this clear failure include:
- Fewer than 20% of organizations have real time insight on cyber risks readily available.
- Not only are threats growing, our survey respondents also tell us that there are still known vulnerabilities in their cyber defenses. In other words, it is understood that there is a clear and present danger, but organizations are not moving fast enough to mitigate the known.
- The attacking power of criminals is increasing at an astonishing speed. Attackers have access to significant funding; they are more patient and sophisticated than ever before; and they are looking for vulnerabilities in the whole operating environment — including people and processes.
- The most important roadblock is the lack of cybersecurity skills.
These points merit emphasis.
The ways in which criminals are attacking us are changing constantly, in a cycle of new method – defense – new method – defense, and so on. If an organization is not able to adapt at speed, it is (at speed) becoming vulnerable and an easy target.
Similarly, an organization needs to be able to detect attacks, especially attacks using a new method, if it is to respond, limit the damage, and then harden its defenses.
Few organizations can do all of this with only internal resources. I believe every sane organization should partner with specialized organizations that have the ability to monitor what new attacks are being used now or will be soon, and then help the company respond with new defenses.
There are three areas where EY could and, I believe, have said more.
1. Security Assessment and Roadmap
Conduct a cyber threat assessment, current state maturity assessment, target state definition, gap analysis and design of implementation roadmap, alignment with leading practices such as ISO 27001.
The organization cannot be ready for attacks if it does not know the assets most valuable to the business. It must be able to prioritize these assets and understand the impact of them being breached, compromised or made unavailable in any way; then link this into the threat assessment process.
However, the majority of the report talks about cyber risks from the technical instead of the business perspective. When there are, as EY rightly says, limited resources, it is critical to prioritize them so that the 'crown jewels' are protected in preference to non-critical systems and information.
I would have like to see EY talk more about integration between cyber risk assessment and the [enterprise] risk management program.
2. Intruder Detection
It is unreasonable to believe that we can keep all intruders out all the time. Those who say they have not been hacked are most at risk, because it is 99.9% certain they have been hacked and just don't know.
Organizations need to have intrusion detection so that they can find out promptly when somebody gets in – not like, as recent reports have indicated, some large corporations who didn't find out for several months.
You not only need to know quickly, but you need to be able to respond at speed, limiting any damage.
3. Protection After Intrusion
Just because they can get in shouldn't mean they can access your crown jewels.
Data encryption is the popular response to this scenario, but you have to take care to use encryption methods that will withstand (within reason) the attempts to break it of the sophisticated intruder.
I would like organizations to ask what they can do, in addition to encryption, should an intruder from another nation's cyberwarfare unit break through their defenses.
Overall, this is a useful report and should stimulate discussion at several levels, from board to IT management, as to whether the organization has the right level of information security for its needs.
I welcome your comments.