In this article, Mark Hughes, President of BT Security, discusses why the industry is now in an arms race with cyber-criminals and what approaches businesses can adopt to ensure a holistic approach to security is front and center.
As the threat of cyber-attacks grows, businesses are struggling to keep pace with the constantly evolving tactics of cyber-criminals, hacktivists, state sponsored attacks and even cyber-terrorists.
Too often, boards have become aware of the importance of robust cyber defenses after a breach or hack. In a joint BT and KPMG report ‘Taking The Offensive’, nearly one-third of CEOs listed cybersecurity as the issue that has the biggest impact on their business. Despite this, only half felt prepared for a cyber-attack. At a time when attackers are moving quickly with an increasing arsenal of tools and techniques, the traditional approach to security isn’t fit for purpose. The industry needs to take action, quickly.
Rethinking the Threat
The pace of those that are targeting valuable corporate data information has reached the speed that requires a complete rethink of the security strategy. The threat is so considerable that last year the Chancellor announced a £1.9 billion five-year investment to develop a national cyber plan.
At an organizational level, forward thinking CISOs should approach the role with the mindset of the potential hackers, whereby cybersecurity is a customer experience and revenue opportunity, not just a risk that needs to be managed. This approach puts organizations on the front foot by turning cyber preparedness into a competitive advantage rather than a cost.
Ruthless and Rational Entrepreneurs
The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. The 21st century cyber-criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market. It’s no exaggeration to describe them as ‘criminal entrepreneurs’.
Like any entrepreneur, the cyber-attacker’s intention is often to make money, fast. They buy malware online, rent botnets by the hour, and compete for the best talent so they can inflict maximum damage. Their motivations have also changed: fame, notoriety, financial gain or political recognition are all common ‘trophies’, alongside the widespread media attention which often accompany major hacks.
However, unlike conventional competitors, cybercrime entrepreneurs do not play by the rules. They are also undeterred by laws and regulations, perfectly content to damage the organizations they attack and exploit the customers who are often the ultimate victims.
With such high financial and reputational stakes, CEOs and businesses can no longer afford to sleep walk into a disaster. A report by the Department for Business, Innovation and Skills found that 90% of large companies had suffered a security breach. If a company hasn’t yet been attacked, it is either extraordinarily lucky or living in the dark. When BT provided the communications network for the London Olympic Games in 2012, we repelled 11,000 malicious attempts every second and we had to fight off 200 million attacks in four weeks and that was over four years ago. In the last 18 months alone we have seen a 1000% increase in cyber-attacks on BT.
The Need for Speed and Agility
Organizations need to treat cyber-criminals the way they treat challenger brands – by understanding and disrupting their business model. It is clear there is a challenge to develop a digital business model resilient enough for a cyber-attack and requires a strategy looking at the digital risks facing the business as a whole, not simply the information systems, but the customers and supply chains.
Traditional compliance processes seem out of step with the new digital age – and adding more and more controls at the cost of flexibility and agility only increases, not reduces, risk.
Across the UK, organizations, Government and academia must collaborate to outrun cyber-criminals’ innovation. To do so, our own cybersecurity organizations need to be as creative and agile as their opponents.
Given the pace of research and development in the shadow economy, businesses that don’t harness innovative technologies and approaches risk becoming obsolete.