More complex and diverse cyber threats are common place for all businesses in the coming year and many companies are woefully unprepared.
Cyber security was at the top of the list of business risks, and not just for the financial sector, at the recent annual general meeting of the World Economic Forum.
As connected devices proliferate and cloud computing grows, this provides more opportunity for cyber criminals. New technology is making things a lot easier for hackers – as seen with the recent weaponisation of webcams and other IoT devices used to bring down portions of the internet.
Accenture’s 2016 report Building Confidence: Facing the Cybersecurity Conundrum revealed that the majority of security professionals were confident in their ability to protect their enterprise from a cyber attack.
Yet 51 percent disclosed that it takes months to detect sophisticated breaches, and as many as a third of all successful breaches are not discovered at all by the security team. It appears this confidence is misplaced.
This shows an alarming cyber security disconnect, and may be a result of too much emphasis on compliance. Many cybersecurity teams measure performance based on achieving compliance goals instead of mitigating negative business impacts.
The research surveyed 2,000 executives from 15 countries across North and South America, Europe and the Asia Pacific. New Zealand wasn’t included in the research, but it is far from immune, and security professionals here are dealing with a range of threats.
The National Cyber Security Centre recorded 338 cyber security incidents in the 12 months to June 30, 2016, up from 190 attacks the year before.
New Zealand organisations, public and private, have a wealth of information attractive to others – whether intellectual property for a new technology innovation, customer data, business and pricing strategies or government positions on sensitive topics, says the NCSC.
With cyber attacks on the rapid rise, last year former prime minister John Key put aside $22m to set up a unit to fight cyber crime, yet when it comes to organisation’s efforts, even the best cyber defence strategy will fail if not executed effectively.
Security is often seen as an afterthought, and not front and centre, for many businesses. It needs to be at the heart of an organisation’s risk strategy.
Organisations require a robust and holistic operating model that focuses the company’s risk management strategy around key threats to achieving organisational vision and mission.
A security team’s ‘ground game’ will determine how well it deters, detects and responds to cyber attacks.
There are a number of steps that New Zealand organisations can take to improve their security operations.
Understand the time-consuming and frequent tasks within security operations that occupy staff, and investigate the prospects for automating them to focus talent on tougher challenges.
Given the opportunity for cyber criminals to attack is growing with the proliferation of devices and growth in cloud computing – identify the types of questions that the security team can’t answer, and pinpoint the data needed to operate effective analytics.
It can be difficult to develop cyber security capabilities without the equivalent of a boxer’s sparring partner.
For example, after mastering static ‘punching bags’, firms need a life-size opponent to drive additional improvements.
The sparring partner needs to apply all of the attacker’s creativity and intent to ensure that the company’s security innovations keep pace with the latest and growing hacker advances.
That means engaging all of the business stakeholders: insurance, risk management, marketing and communications, legal staff and the fraud team.
Security teams often lack situational awareness when an incident occurs.
They need to know what it means for the business, who the players are, what the priorities are and whether they can act based on the information at hand.
Organisations must determine whether the security team understands enough about specific assets to contextualise threat data effectively.
For example, as the business expands, security needs to know what to look for in the threat feeds and how it ties to the growing attack surface.
Fighter pilots depend on AI, cockpit automation and virtual reality technology to elevate their reaction times and abilities to peak levels. In the next five years, security professionals will employ similar technologies to predict and respond to digital attacks.
Future security teams will link artificial intelligence models – machines capable of assessing situations and taking action – with automation and interactive visualisation. And the liquid workforce, with its crowdsourcing and freelance staffing options will make it easier to access talent for short-term projects.
Achieving best-practice operational effectiveness can deliver a wide array of security-related benefits, ranging from fewer successful incursions to faster response times and quicker recoveries when attackers do hit.
A strong security ground game can also reduce costs and risks for the business.
However, there’s also the simple truth: without world-class cyber security, it will be impossible for New Zealand organisations to keep up with global competitors. Both an increase in business ownership and investment are surely needed.