Technical controls not enough to ensure real cyber security

It’s no longer just data that is lost in a breach, it is no longer just a question of financial loss: it has become a question of basic corporate survival. Bricks and mortar trading is in decline everywhere. Conversely, online trading continues to grow, and new technology and online practices are continuously generating new online opportunities. “Eighty percent of all growth in business-to-consumer activity,” explains Michael de Crespigny, CEO of the Information Security Forum (ISF), “is being done through online channels; so if organizations are not active and successful in cyberspace, then they probably won’t succeed.”

But just as online commercial rewards are increasing, so too are online threats. So far the attackers are adapting to the new opportunities faster than the defenders. They are evolving a complete underworld business structure, which the ISF terms the ‘malspace’. Malspace has many of the organizational structures of mainstream business, but with one big difference: criminals share attack information more efficiently than business shares defense information.

Given the increase in both reward and risk available on the internet, the ISF believes that a change of emphasis from traditional data defense to corporate cyber resilience is in order, and has published a new report called Cyber Security Strategies: Achieving cyber resilience. “Cyber security is not just about protecting information,” de Crespigny told Infosecurity, “it’s about protecting customer relationships and trust, and protecting the brand as well as the channel. Without that channel many companies just won’t survive.” He talked about the many technical steps that can be taken to bolster cyber defenses, quoting, for example, the ‘Top 35 Mitigation Strategies’ published by the Australian Defence Signals Directorate. Use of these strategies, claims the Directorate, would have provided protection against 85% of the attacks experienced during 2010.

“But you’ll never be able to protect 100% in cyberspace,” warns de Crespigny, “simply because everything is moving so quickly. Therefore you need to prepare for unpredicted incidents of various kinds. You need to achieve cyber resilience by having the right procedures and policies to maintain trust and brands when those events inevitably do take place, so that you minimize their impact and get back to business as soon as possible.”

Our conclusion, he said, is that “real cyber security is not about technical controls. You need those, but they won’t provide the complete answer because of the very dynamic nature of the internet,” he added, quoting the unpredictable use of social networks to gather, harness and direct hacktivist energies following the MegaUpload take-down. Cyber Security Strategies: Achieving cyber resilience is a tool to help business to understand, develop and integrate the necessary resilience into their corporate structure.

What’s hot on Infosecurity Magazine?