Opinions

Why organisations should embrace long-term cybersecurity planning

0
Cyber Hygiene 1200 780x470 1
Share this article

The cyber security industry is well known for its rapidly evolving landscape, with new threats emerging on a near-daily basis. As a consequence, many organisations are reluctant to attempt any form of meaningful long-term cyber security planning for fear of those plans quickly becoming obsolete.

Instead, they rely on short-term, largely reactionary strategies that focus on trying to detect threats before a significant data breach can take place. Unfortunately, such an approach condemns these organisations to a lifetime of playing catch up against the perpetrators of attacks which is exactly what the attackers want.

In a lot of ways, the cyber security industry itself is to blame for the current predicament. Fear of the unknown has long been one of the cornerstones of cyber security sales techniques. After all, how can you protect against something you don’t even know about without the latest technology?

But while such an approach may be useful when trying to sell the new products and solutions, it actively encourages a short-term mindset amongst customers. It also ignores key trends within the landscape that could be used to build a viable long-term cyber security approach, such as the fact that the vast majority of emerging threats still rely on the same old attack vectors they have done for years.

For instance, 95% of attacks on enterprise networks today begin with a successful spear phishing attempt, according to the SANS Institute. Spear phishing is hardly new; it’s been around for more than a decade. Phishing itself is one of the oldest tricks in the cybercrime book, with the earliest examples dating back over 30 years. Nearly every modern cyber-attack still utilizes some form of social engineering too, a technique that criminals from all walks of life have been relying on for centuries.

Not only are these attack vectors old, but so are the most effective defenses against them. Chief among them is the establishment and maintenance of a robust cyber security training programme for all employees, helping them to quickly identify and report any phishing/social engineering attempts they encounter.  As any cyber security expert will tell you, employees are always your first (and most effective) line of defence against cybercrime, and a little investment goes a long way.

In this regard, while the ongoing game of cyber security ‘cat and mouse’ may have changed in its appearance over the years, the rules haven’t changed much at all. Many of the same criminals who were attacking mainframes back in the eighties and nineties are attacking cloud platforms today, using very similar tactics and techniques. This begs the question, ‘is it an outdated mindset that’s holding the industry back, rather than outdated tech?’

Of course, this doesn’t mean the challenges facing modern cyber security professionals haven’t changed at all. Perhaps the most striking difference between then and now is the scale of the task at hand. Over the decades, megabytes of data have turned to gigabytes, then terabytes and soon many organisations will be dealing in petabytes.

The same evolution can be seen in data transfer speeds and in Moore’s law, of doubling data processing power speeds. Elsewhere, changing business practices (accelerated by the ongoing pandemic) have resulted in ever greater numbers of employees working outside a traditional office setting, making it harder and harder to keep track of data and/or spot tell-tale signs of a potential security breach.

Fortunately, data analytics and anomaly detection are two key areas where investment in modern security technology really can make a difference. Advances in machine learning and automation mean organisations can now build platforms that take much of the manual burden off analysts, saving time and allowing them to concentrate on areas of the security process where their input will be more valuable. Such technologies are also becoming much more affordable, meaning businesses of all sizes and budgets can now benefit from the advantages they offer.

Cyber security vendors are now touting quantum computing as the next big thing to shake up the industry. Many claim it’ll give criminals the ability to crack user passwords and encryption keys much more easily, significantly reducing their reliance on social engineering.

While this may be the case, there’s no need to start panic buying new, unproven security tech just yet. Even if the emergence of quantum computing does lead to an upsurge in criminal activity, there’s already a wide range of established technologies, such as user entity behavior analytics (UEBA), which can be used to effectively counteract it. UEBA works by monitoring genuine user’s behavior over time and establishing benchmarks for ‘normal activity’ based on key criteria including the time of day, network folders accessed and geographical location.

Consequently, if any user’s behavior deviates too far from their norms, such as logging in from Russia at 5 am when they usually log in from the UK during normal business hours, it will automatically trigger an alert for the security team. Behavioral analytics can also automatically stitch together data from multiple activity streams, quickly creating a comprehensive incident alert that gives security teams much needed context about an unfolding event.

The cyber security industry has long been driven by fear of the unknown, resulting in a culture where the concept of long-term planning has been all but abandoned. Yet despite ever-present concerns about emerging threats, a closer look often reveals a startling number of similarities between the old and the new.

With this in mind, organisations shouldn’t let uncertainty prevent them from considering how they can effectively extend their cyber security planning cycles to 10+ years over time. While the future may be unknown, chances are it will be more familiar than you may think.

Share this article

NSE’s Demutualisation will Strengthen Investor Confidence’

Previous article

Autonomous drone maker Skydio raises $170M led by Andreessen Horowitz

Next article

You may also like

Comments

Comments are closed.

More in Opinions