What can organizations do to deal with the accelerating problem of cyber breaches? Do they protect their network or their data?
It’s a debate that has dominated last week’s RSA Conference in San Francisco - the worldwide event for information security - if the blogosphere for risk and security professionals, alight with the latest thinking, is anything to go by. And, as the New York Times reported from the conference, the cyber risk situation is such that 2015 may surpass last year’s “Year of the Megabreach”.
This question of whether you should direct more resource to protecting the network and its endpoints or the data is not new. And while I can see both sides of the argument, it’s never been truer to say that data security matters.
After each data breach the response from technology vendors is to produce so-called new products designed to prevent breaches by better network and endpoint security, i.e. preventing the attacker access to the data. But why should we place our trust in what are essentially failed technologies? As RSA President, Amit Yoran, said in his keynote speech this week: “The largest enterprises with the most sophisticated, ‘next-generation’ security tools were not able to stop miscreants from making off with millions of dollars, personal information, and sensitive secrets and damaging reputations.”
The famous quote from Albert Einstein seems apposite here: “Insanity: doing the same thing over and over again and expecting different results.”
In May 2009, a paper from information security and research firm, Securosis, said that a data breach needs three things to succeed: a way in, a way out and something worthy of the effort and risk to steal. Break any part of this triangle and the breach fails - and vendors work tirelessly to convince us their latest new product can do this.
The sad truth is that these “new” products are costly and beyond the reach of many organizations. Moreover, the majority of attacks are the result of a user having a momentary lapse of concentration and unwittingly allowing an attacker into the network and, consequently, the data. This is shown in the recently-released Verizon 2015 Data Breach Investigations Report, that revealed how some form of Phishing played a part in over two-thirds of cyber-attacks and that nearly 50% of users opened up a Phishing email within an hour of receiving it; the attackers don’t have to wait long for their seeds to germinate.
It makes sense that an effective and efficient way of breaking the Data Breach Triangle is not just by deploying the latest technologies but by helping users across the entire organization to identify a Phishing email and understand what to do about it.
This is precisely what the AXELOS RESILIA portfolio will provide to organizations. When launched in the coming weeks, it will not only offer best practice guidance on good cyber resilience in organizations, plus certification and a range of tools, but also a variety of learning materials to equip every employee with the awareness and knowledge of how to be a good cyber colleague and citizen.
Before - as Nicole Perlroth, technology reporter for the New York Times says - we run out of adjectives such as “Megabreach” to describe the world’s cyber security performance, it’s time for businesses to take a different approach to cyber resilience and empower their people to protect vital data; deploying technology is not sufficient.