Cyber crime can strangle your business, not just your IT
A conference on the rising threat of cyber attacks emphasised the need for businesses to do more than merely comply with rules
AT RSA’S EUROPE conference 2012 in London last week, the information security sector made a case for appropriating the old line about not knowing which 50 per cent of spending is wasted.
In keynotes and executive briefings, RSA executives kept returning to the theme that too many businesses invest in the wrong areas of security. For some, dealing with the issue has simply become a box-ticking exercise that owes more to regulatory compliance than addressing actual threats.
That’s an inadequate response in the face of a growing problem, they said. In the same week as the conference, the Ponemon Institute in the US published figures showing the rate of cyber attacks doubled over the past three years while the cost of incidents rose by 40 per cent.
Misha Glenny, whose book DarkMarket investigated the online criminal underworld, was one of the event’s keynote speakers. He referred to the reported loss by one London-listed company of £800 million last year as a result of a single cyber attack. The cost of cybercrime is “rocketing”, he added, echoing a theme of the conference by saying the focus is on the wrong side of the financial scale.
“We don’t know how much money we’re losing on digital malfeasance; I mean how much we’re actually spending on the problem. There we do have figures – usually spending on high-end digital solutions. This is roughly $100 billion in a year although that is set to double in less than a decade.”
Sam Curry, chief technology officer for the identity and data protection division at RSA, said many security budgets have become “a calcification of previous spend”.
Too much outlay still goes on traditional perimeter defences and commodity products such as antivirus, firewalls and intrusion detection systems. “We need to invert that pyramid,” said Curry.
This spend often occurs because businesses don’t collect the right kind of data to understand if their defences accurately address the risks they really face.
Curry’s words echoed the address that kicked off the three-day event, when RSA’s executive chairman Art Coviello spoke of the “perception versus reality gap” in security investment.
Part of the problem may be that the security sector has “very poor indicators of success”: that was the view of Josh Corman, director of security intelligence at Akamai Technologies. He struck a downbeat tone from the first bars of his keynote: “Are we getting better? The answer is no.” Referring to when the PCI-DSS security standard was introduced, he said: “We started to fear the auditor rather than the attacker.” It’s safer to spend money on compliance than to track whether trade secrets are being compromised, he suggested.
“What we do is like little kids playing soccer – we follow the ball. We focus on the things that are visible instead of the things that are important.”
What’s more, the problem is a moving target because technology is constantly changing – trends such as mobility in the workplace and cloud computing are having a “disruptive influence” that are changing business priorities.
Corman challenged the assembled delegates: “Are you here to do better security or do you just want plausible deniability?”
As attacks grow in number, the range of targets multiplies. Glenny said the net’s very interconnectedness is a source of its insecurity: companies can end up in the firing line because they might be linked to the real target.
