By Stuart Trainer
To say that cybercrime is on the rise is a massive understatement. A University of Maryland study found that hackers are attacking computers and networks at a “near-constant rate”, with an average of one attack every 39 seconds. Another study, commissioned by Bromium and presented by Dr Michael McGuire at RSA, has found that the cybercrime economy has grown to $1.5 trillion dollars annually.
Attackers are moving faster, and 1.3 million new malware instances are created daily. Add to this the fact that detection takes too long – organisations take an average of 258 days to detect a data breach, research has found – and we have a perfect storm waiting to happen. In fact, the increasing number of high profile breaches locally highlights how vulnerable South African organisations are.
From the Liberty breach to the ViewFines one, where the personal records of more than 934 000 people were leaked online, including their ID numbers, to theworst breach in South African history when Dexter malware infected KFC’s POS devices, leading to stolen customer card data, and the fraud, phishing, identity theft and housebreakings that were the result of SANRAL user data being exposed, to name just a few incidents, South African organisations have seen a growing number of reputation ruining events. For each breach that is reported, many more are unnoticed by the media, but companies cannot rely on trying to keep incidents quiet to minimise damages.
Hype vs reality
While the threat is very real, the industry tends to throw out terms like hacking, phishing, exploits, risks, ransomware, data loss, cyber warfare, vulnerability, and so on, which can lead to a state of panic among organisations that feel they are unprepared; and a state of complacency in those companies that feels they have ticked all the boxes. The reality is that no company is adequately prepared.
Frameworks and standards have been developed in order to cut through the hype and help get a handle on the situation. These were designed to give structure and to help security professionals figure out exactly what to do. However, as the threats grew, so did the number of standards.
In the local market alone there are more than 20 frameworks and standards that are used on a regular basis. Globally, there are hundreds. At EOH, we follow a framework that includes Cyber Readiness, Cyber Protection, Cyber Monitoring, Cyber Recovery, with Cyber Governance being the glue that holds it all together.
Standards provide a guideline to work within; a structured programme to execute against. The execution then requires people, process and technology working in an ecosystem.
However, in light of the fact that the threat landscape that is increasing exponentially, there are hundreds of standards and frameworks that need to be navigated, not to mention hundreds of vendors with hundreds, or even thousands of technology solutions, the security landscape can be overwhelming. In addition, there is a lack of skilled resources to cover all the requirements.
Steering through the skills shortage
Companies have two options: To maintain their own security controls, or to outsource these. However, while every business needs the right people with the right skills and the right level of experience to ensure their security is effective, research indicates that there is a huge skills gap in the cyber security sector.
The figures vary, ranging from 1.8 million to 3.5 million unfilled security positions in the next three years. That equates to approximately one third of all security positions, worldwide, that will not be filled as a result of the skills shortage. Already, there are 1 million unfilled security jobs across the globe currently.
In order to ensure an effective security model, standardised processes need to be developed and actively followed. The processes need to deliver on the expected outcomes and need to be measured for effectiveness. However, this requires access to the right people with the required skills.
The next area of concern is the execution against well thought-through processes. Although some processes can be automated, people are still necessary both in process development and execution. Technology controls then also need to be implemented, which similarly require skills and experience.
And then there were hundreds of solutions
Once the right people with the required skills are in place, and solid processes are being executed against, technology controls come into play. The question is then what controls by what vendor should be used? Year-on-year, there is exponential growth in the number of security players and the number of security controls.
Taking into consideration that security controls need to work together, and not in isolation, and that the security skills gap is very real, many organisations are feeling overwhelmed. Where best-of-breed solutions were previously seen to be the ideal answer, today’s businesses are moving towards a more consolidated approach. Consolidation results in fewer vendors, meaning an overall reduction in unique skill requirements. It also means internal teams don’t have to do the custom integration themselves to get the controls to work together.
Outsourcing specific controls is another viable solution, as it removes the need for internal specialists. However, outputs still need to be managed, as does ensuring that the service delivers against requirements. This is becoming a very popular alternative, as is a hybridmodel, which relies on a combination of vendor consolidation and the outsourcing of specific controls.
Security is the sum of the parts. Everything needs to function together to provide one outcome. The people, the standards, the technologies, and feedback on performance and/or any issues, must be combined in order to deliver the value that was intended.
Steps to cyber security success
Cyber security success rests on acting today. Tomorrow may be too late.
The first step is gaining an understanding of the complete security landscape. Companies should take a step back and look at the big picture, and then choose a framework that is practical and makes sound business sense. This requires understanding which elements of the framework are relevant to the business.
Secondly, once all the elements that are relevant are identified and understood, companies must assess what they are currently doing and whether that meets their cyber security and business requirements. If it does not, they need to understand the gaps, and how they can be remediated in a coordinated manner. Lastly, through a structured ongoing cyber security programme, organisations need to consistently manage the identified elements, typically referred to as cyber security controls.
Once the programme is in place, companies need to build out the elements that make up the complete security landscape or framework. The first step in this process is the identification ofthe frameworks and standards that might be relevant. Next, security groupings that make logical business sense need to be created. These are then applied to the security programme.
There are many categories that make up cyber security, each with its own controls. In fact, there are close to a hundred security controls available to an organisation at any given time. However, no organisation on the planet will need all of these controls.
The trick is to look at the specific requirements for an organisation and determine which controls are relevant. Those that are not relevant or not required can be removed. Groupings can then be created to assign specific responsibilities, significantly simplifying the cyber security programme. Once this is done, it is easy to identify and close any gaps.
Once the programme has been defined, and the relevant controls have been put in place, they must be evaluated against business requirements and if they are at the right level of maturity. What is required is the Goldilocks Effect: the controls must provide just the right levels of security for the business requirements – not too little, and not too much.
There are some commom elements came up time and again. There are a number of baseline controls than come up as a foundation in most, if not all, organisations. These can typically cover most of an organisation’s cyber security requirements. Those are then added to, typically as the size and/or complexity of the organisation increases.
A modular approach the key to success
Security should be as responsive as all other mission-critical business functions. For many organisations, it has become an extremely complex machine made up of many moving parts, leaving security teams sinking under the volume of all of the boxes they have to tick. A simple and responsive solution that provides a customised approach to cyber security offers a more strategic, efficient and cost-effective means of securing a business from end to end.
A modular approach offers simplicity as well as effectiveness – ensuring the organisation is covered. Starting with a framework that makes practical and logical sense, and understanding what elements in the framework are relevant to the organisation, a business can gain a deeper understanding of what is required to meet the company’s security needs.
A security programme should be built around the management of the required controls, which must be executed against in order to make sure they are consistently applied and managed. This provides a good foundation for the monitoring of security efforts, allowing organisations the readiness they need to be able to respond and recover in the event of a breach. This provides the foundation of successful security, and should be periodically re-evaluated against the ever-changing threat landscape.
Security is a highly specialised area which requires a specific skillset and a particular toolset. Staying ahead of cyber criminals requires solutions that evolve ahead of the threats, and that make provision for all the eventualities. Whether companies opt to use in-house security teams, outsourced providers, or a hybrid approach, security must be embedded across the enterprise.