Download the Cyber Security Crashcourse

Slides from IFSEC International 2015

“In the last year,” said Eric Hansleman, “businesses spent $70bn on cyber security. Meanwhile criminals will have made 10-20 times that amount”.

At IFSEC 2015, Eric Hansleman from 451 Research presented a rapid-fire overview of cyber security. The DarkReading Cyber Security Crashcourse – introduced with Sara Peters, Senior Editor for Dark Reading – was 40 slides packed with insight into the trends shaping the industry and how you can protect yourself.

You can download the slidedeck by filling out the form on the right…

Some 75% of IT professionals believe their organisations are about as vulnerable, or more vulnerable, to attacks than this time a year ago. As devices and applications proliferate and complexity grows, to be successful at securing our IT assets we have to be successful all the time.

IT security budgets continue to increase with half of surveyed respondents increasing security planning. Diversification of options is proving a major challenge.

The various security technologies that a typical enterprise needs to employ is growing with fragmented spend:

 

 Today’s threat environment

Eric emphasised the need for a change in attitude, start from a position that “we have already been compromised”.  While a maintaining a firewall perimeter is still important,  multi-layered defences are required to truly protect your data.

Every business now faces a multitude of adversaries, including “a generation of cyber criminals for whom this is their day job” and attacks often blamed on “nation states” such as North Korea. As Eric explained, it is hard to identify who is really behind an attack. For example, Kaspersky Labs thought that they had been attacked by either Israel or the United States due to the tools the hackers used.

At the top of your list of adversaries should be your own authorised users, who are the greatest risk to security.

Social engineering of your users has been used tremendously effectively by hackers. Indeed, 91% of targeted attacks involve phishing emails to trick users into giving up sensitive information.

Attacks are proven to be much more effective if they use personal information, with mobile devices making this much more of a problem as phishing has as much as a 30% higher success rate on a mobile device.  “The data you have will always be valuable to someone – either directly or indirectly.”

The ‘Salesforce effect’ – whereby all different users are using pay-as-you-go cloud services – puts pressure on IT teams to maintain security standards with cloud capabilities purchased outside of corporate IT buying. Any marketing manager with a credit card can purchase cloud services. Hosting data in the cloud and moving it onto different platforms carries a far greater risk of disclosure.

Password alternatives have helped somewhat, but still come with limitations:

As a solution, Eric recommended the FIDO alliance to businesses who are looking to integrate more sophisticated authentication into their IT infrastructure:

 

It’s what you don’t know that will hurt you

With employees being the greatest vulnerability, Eric emphasised that the best investment business can make is in education. Only through ongoing training of employees can businesses deal with the cyber security threats.

Eric reported that there are encouraging signs of improvements in understanding and expectations for risk management, as can be seen in this table of changing attitudes from the Cloud Security Alliance (CSA):

 

The part that IT has to play is moving from the department of ‘no’ to the department of ‘know’ – educating colleagues about new technologies to better enable, rather than resist, change.

You can download the full Cyber Security Crashcourse presentation by entering your details in the form on the top right of this page.