Why Cyber Security needs to be seen as a business risk – not just an IT problem
It seems like almost every week now there’s another high-profile and highly-damaging cyber security breach. In May, we witnessed a massive global ransomware attack that impacted thousands of businesses, for instance, while a breach of US credit rating agency Equifax exposed sensitive personal information from nearly half of the US population.
Security through obscurity is no protection, with malware and ransomware constantly disguised as legitimate business emails and Distributed Denial of Service (DDoS) attacks often affecting large numbers of small and medium-sized businesses that share the same Web host platform.
Telstra’s Cyber Security Whitepaper research found that some 59 percent of businesses across Asia and Australia detected business-interrupting security breaches on a monthly basis in 2016. Another survey, by the Ponemon Institute, found that an organisation has a one in four chance of experiencing a material data breach over the next two years, with the average total cost per breach at US$3.62 million. And these breaches often occur within minutes of an attack starting, according to security company Palo Alto Networks.
It’s no surprise, then, that cyber security factored large at the 2017 Telstra Vantage.
Numerous exhibitors were showcasing secure public and private cloud services, while a few focused on DDoS protection and several others offered platforms and tools built around network security and/or managed security services. There was even a company offering facial recognition solutions for automated staff time and attendance reporting (and other internal business things that could benefit from biometric security) and real-time analytics for customer insights and personalisation.
There was a big stress across the show floor on automation — on automated network monitoring and threat filtering, to whittle down several hundred thousand potential threats to a manageable subset of half a dozen that require the attention of security staff, and on automated provisioning of security certificates, among other things.
But the main trend on show was for a shift to secure cloud-based data and applications with managed network security and tight collaboration between the customer, the government, and the service provider’s security operations centres.
Collaboration is key
Cyber threats have now reached a scale and magnitude that’s beyond any one organisation to manage. Vigilance is no longer enough, Telstra’s Asia Pacific Chief Information Security Officer Berin Lautenbach emphasised during a talk at Vantage. You can’t just look for virus signatures and other known threats; the danger now lies in the unknown, the unusual activity and unrecognised software and infrastructure exploits.
The future of cyber security is collaborative — everyone sharing their security knowledge with the government and working together to rapidly identify and respond to threats. Telstra is looking to be a leader in this space. In August, Telstra officially opened its first two Security Operations Centres — one in Sydney and the other in Melbourne, with additional locations around the world planned for 2018.
Managed security services are traditionally the realm of large enterprise and government, but Telstra hopes to bring mid-sized companies into the fold in order to develop a kind of cyber herd immunity — to reduce the risks for everyone by gaining more data points and learning more about the strategies and techniques used by cyber criminals.
Cyber security risks start inside a company
All of these security measures may be moot if the people working for an organisation become lax in their security practices. The Ponemon Institute’s cost of data breach study found that 25 percent of data breaches were caused by negligent employees or contractors.
It’s not just about educating the core workforce, either, but also the senior executives and board members of an organisation — who need to see that security is a business risk.
Lautenbach said that IT staff around the world have twice failed to get this idea across. The first time, more than a decade ago, they went too technical, while the second time they dumbed it down to something along the lines of “it’s scary and you need to give us money.” This time, he explained, we need to make it about asking the right questions — beginning with “what’s important to the company?”
By getting every level of an organisation on board with the same cyber security strategy, Lautenbach stressed that it becomes easier to manage risk. Not only in preventing breaches but also in responding to them, at which point consistent messaging becomes vital to retain customer trust.
The opposition works as a team, he said, so it’s incumbent on technology companies to do the same.