Comment: Size Doesn’t Matter in the Battle Against Cybercrime

Bigger isn't always better in the fight against cybercrime
Bigger isn't always better in the fight against cybercrime

Although the news is filled with high-profile data breaches, most cyber-attacks are designed by nature to be quiet and stealthy operations, aimed at penetrating security flaws undetected and remaining that way. No longer conducted by individuals, but by a sophisticated criminal industry, the attacks are designed solely to access and steal confidential data – regardless of where it is kept.

Beating these adversaries requires an industrial effort. Despite assumptions that it is small businesses with fewer resources and skilled staff who are suffering these breaches the most, the threat is real for everyone. Large organizations face the same challenges as their SME counterparts.

A recent security report from Cisco highlighted an often overlooked but important aspect of cybersecurity. Cisco’s report showed that 100% of a sample of world’s largest Fortune 500 company networks generated visitor traffic to websites hosting malware – thus pointing to the fact that despite the benefits of their size, dedicated security teams, and generous budgets to invest in cutting-edge security solutions, large multinational organizations face the same obstacles as other companies when it comes to cybersecurity.

Vast amounts of stored customer data make large companies a lucrative target for hackers. The sheer number of employees at such organizations means that each is a potential target for a social engineering attack, and multiple access points means networks are arguably more exposed to attacks than those of smaller organizations. In addition, it’s very difficult for large organizations to stay on top of and monitor everything that’s happening on their network perimeter and in the cloud, as well as effectively execute security policies across the entire organization. This, coupled with the fact that a lot of larger organizations still take a ‘this won’t happen to me’ approach to security, makes them arguably more vulnerable to targeted cyber-attacks than other organizations.

Given how big of a concern data security is at the moment for consumers, and how skeptical they have become when trusting companies with their data, this is a worrying belief. A recent report from Fujitsu highlights that only 9% of consumers trust brands can protect their data – a sobering statistic for large organizations.

To combat this, large companies need to identify what is most important in their organization and build a fortress around it. Because any organization can become a target, and companies can’t protect everything to the same level, it’s imperative to assess the individual risks. Large organizations need to locate where their assets lie and what types of attacks they can be exposed to. Once that analysis is complete, they can then adjust their security strategy accordingly – and make the difference between lockdown and meltdown.

In addition, an important change must come to how large organizations approach IT security education. It cannot be treated in isolation, as so often happens – rather, it should form part of a company’s overall training schedule. After all, even the most sophisticated security software cannot protect an enterprise if an uneducated member of its staff unknowingly exposes the business to a cyber-risk by not being aware of it or by not following basic security guidelines. In large companies especially, everybody has their part to play, and it’s important to show commitment to security training from the top so that the rest of the business can follow the example.

In today’s world any organization can make the headlines due to a data security breach. But as businesses collect more and more personal data from consumers, they have a responsibility to do everything they can to keep it safe. Multinational companies especially have to realize that being big doesn’t always warrant protection, and with new cyber threats appearing almost every day, there is always plenty to improve on in their approach to IT security.

David Robinson leads the Bid and Pre Sales team for Information Security and Service Continuity business across Fujitsu UK & Ireland. He provides information security and assurance support for every division within the region, as well as occasional support to overseas units. Robinson’s unit delivers specialist advice, consultancy and operational delivery in security, identity and access management, and service continuity across the whole delivery lifecycle. As the CSO for the UK and Ireland, he and brings a wealth of knowledge to this specialist area and acts as the focal point for all security matters. Robinson previously worked with C&W as the internal IT Security Director and prior to that he served almost 22 years with the Royal Air Force as an engineer, where he worked in a whole range of specialist roles, including simulation, radar, data processing, training, networks procurement and IT security. He was awarded the MBE for services to the RAF in 2000.

What’s hot on Infosecurity Magazine?