Strategies organizations should take to keep up with the evolution of cyber-attackers was the topic of a panel discussion during Digital Transformation EXPO Europe 2021.
Moderating the session, Lisa Short, director & co-founder, Hephaestus Collective & P&L Digital Edge, observed how the digital world has become more “pervasive” during the past 18 months, with organizations undergoing significant digital transformations. She then posed the question: how should industry professionals be reacting to this change?
Matt Howells, head of cyber defense, Hargreaves Lansdown, said that threat actors are broadly using the same methods they did pre-pandemic, such as ransomware, but the velocity of attacks has ramped up. He also noted that cyber-criminals are becoming more collaborative, such as utilizing ‘as-a-service’ approaches. As such, “it’s physically impossible to stay ahead of our adversaries – there are 10s of thousands of them out there across the globe.”
Amid this environment, Jack Chapman, vice president, threat intelligence at Egress, said it is vital that security teams utilize the new technologies they have adopted since COVID-19 and combine those with the human and process layers. “It’s a case of re-evaluating what the threats our organization is facing and taking a realistic approach, because if we’re honest, every layer can be overcome. What we’re doing here is mitigating these threats and by understanding them, we stand a much better chance.”
Vijay Kumar Velu, director, offensive security, BDO UK LLP, emphasized that it is not a new set of threats being facing by organizations, but rather the changing tactics. This is partly due to the surge in cryptocurrencies, providing new avenues for cyber-criminals to make money via cryptojacking. “It’s just the way they want to make money that changes,” he stated.
Short then asked the panel about the types of tools organizations should invest in to better protect their systems and data. Howells pointed out that any new technology, person or service must be carefully vetted before being rolled out. Otherwise, “you are allowing insider threats to walk straight in the front door, which a number of organizations do on a daily basis.”
Chapman emphasized that the focus should always be on creating new layers of security by design, and tools need to be tailored for that purpose. “Any organization has different risks, different employees, different objectives, and one answer fits-all doesn’t work.”
Kumar Velu was then asked whether he feels security teams are getting enough funding to spend on security given the increased threat landscape. Short outlined the context of this question — the eye-opening costs of data breaches, which are expected to reach $10.5tn by 2025. Vijay agreed that more money is required but cautioned that teams must be careful about how they spend their budget, as “the spends are going wrong sometimes.”
Building on this point, Howells stated that the best way to ensure the right decisions about security spending is to have the right CISO to communicate security risks and needs effectively to the board. “If you have somebody who is able to communicate to them in the language that can drive home exactly what we’re trying to achieve from a cyber-perspective or a transformational perspective from IT, I think you will always get through to your c-suite,” he opined.
He added that while tools are essential, organizations should also be focusing on getting security basics right, such as having a CMDB.
Kumar Belu also advised organizations to focus on defending the critical assets of their business and ensuring they remain protected in the event of a breach. “Always focus on the risk that matters to you. One size doesn’t fit all — only the size that matters to you,” he said.