Risk: You're doing it wrong

By Jeff Paine, CEO, ResponSight

“Buy the best/latest/trusted vendor technology” is the common advice businesses receive in order to best protect themselves from a cyber-attack.  This advice came from a time when cyber-attacks were simpler, and the businesses were probably simpler too, but it’s advice still being offered today.

However, investing in more technology often serves as a way for businesses to distance themselves from being responsible and accountable for cyber risk. It’s not uncommon for businesses to claim that they have 10 of the “best” cyber security technologies in place with genuine belief their organisation is measurably more secure.

Global spending on security is predicted to reach $96 billion in 2018, up 8 per cent from 2017, according to Gartner. The same research shows that 53 per cent of organisations cited that reducing security risks will be the main driver for their overall security spending.

Despite the increase in spend, the numbers for cybercrime continues to rise. Data suggests that cybercrime costs the Australian economy up to $1 billion annually in direct costs alone.

Sure, a CSO or CIO may be able to show their board that they’ve spent all of their budget and then some on the latest technology, but can they really measure that the business is better off? Or that all business information is safe and that the overall cyber risk has fallen as a result of the new technologies?  

For the past several years, vendors have been telling boards and business leaders that they need to be attuned to cyber. They’re now there. Business leaders now understand that cyber security is a business problem – not just a technology one.

While board awareness might be at the highest levels ever, maturity and capability around the objective measurement of risk is still very low.  Risk is still being reported as a very arbitrary (and subjective) measure, with only loose correlation to business objectives or IT spend. This gap is only going to widen if businesses continue to throw more technology at the problem without addressing the risk side of the equation.

Cyber risk is seen by many organisations as a technology problem that requires a technology solution, not as a business problem that needs a better way of measurement.

Looking from the inside out

While most organisations use the technology they have invested in to put up a security wall against external threats, what businesses aren’t aware of is that the threat could potentially be coming from inside their business. Advanced threats have the ability to take advantage of human behaviours, often not caring at all which person within an organisation is targeted.

The Office of the Australian Information Commissioner’s first mandatory Notifiable Data Breach report for the 2016-17 financial year revealed that 51 per cent of the eligible data breach notifications it received were caused by human error.

It takes a lot of engineering and intelligence gathering, including a vulnerabilities assessment, to understand a businesses’ weakness to pull off a cyberattack. Attackers know that it can be easier and cheaper to bribe a privileged employee than it is to try and break through the high security digital “front door” of an organisation. This is likely why 200,000 scam reports were submitted to the ACCC, Australian Cybercrime Online Reporting Network (ACORN) and other federal and state-based government agencies in 2017. Australians lost $340 million as a result, a $40 million increase compared to 2016.

Have a clear view

While plenty of technologies offer some form of “real time visibility”, boards and executives need to ask to see the detail, and understand exactly what is being measured.  Risk measurement, be it cyber or otherwise, is challenging and requires objective data at a point in time and over time.

Profiling activity and behaviour means a company can securely monitor changes in the enterprise cyber risk landscape both inside and outside of the network.  Comparing and analysing objectively collected data about activity and behaviour is key to consistent risk measurement, and should always be done without collecting private or sensitive information. This approach retains employee trust and increases staff awareness of their IT usage patterns, while also reducing the company’s overall risk.

Visibility through objective measurement over time also gives businesses the opportunity to take a proactive approach to security. Data by AT&T showed that companies that are proactive have stronger incident response plans and are better prepared for a breach than those that take a reactive approach.

Cyber security cannot be achieved with technology alone; it requires a more holistic approach from within the business. This is because even with the latest and greatest security technology, organisations cannot be completely immune to the growing number of cyber threats. Organisations need to know what’s happening inside and outside of their business network to completely understand and minimise their cyber risk.