We will remember the past year in IT security as yet another in which cyber-attackers have got the better of major organisations, from the US government’s HR agency, the Office of Personnel Management (OPM) and health insurance giant Anthem over in the States, Hong
Kong-based toy manufacturer VTech and Japanese-owned Hello Kitty brand, through to some of our best-known British brands, such as TalkTalk and J.D.Wetherspoons.
Cybercrime knows no geographical barriers.
2015’s attacks have shown us that attackers are not just after money. By now we are familiar with the idea that our credit card details might be targeted, and resold on the dark web. But today’s hackers are also using their skills as a political statement, show of power, revenge act, or just because they can.
Read more: Cyber security jobs on the rise after hacks
In this new reality, all information is at risk. If you’ve got it, someone wants it.
However it is clear that many sectors of the economy are not taking cyber security seriously enough. Today’s leading businesses embrace international marketplaces and handle increasing volumes of customer data. And yet the responsibility that goes with this charge is too frequently sidelined.
One problem is that information security has not historically been addressed as a business issue, but instead delegated to the IT department.
Company executives are waking up to the fact that, while technology may enable attacks, the consequences of a cyber-attack impact on the entire business. The leak of a client’s negotiation strategy is, in the wrong circumstances, enough to seriously damage any bank or law firm, just as the theft of a customer database could destroy trust irrevocably.
Businesses will soon be forced to pull their heads out of the sand, following EU regulation, to be finalised in 2016, which will enforce more disclosure and impose steep sanctions. And so we can expect a continued transition into a new era of ever-present cyber-threats, characterised by their persistence and sophistication.
This means that organisations can no longer hope to shut out threats behind an iron wall.
Today’s networks are far too complex to avoid vulnerabilities. Businesses must accept that they will be infiltrated at some point – if they haven’t already – and focus attention on identifying those threats early in their evolution.
This may seem an overwhelming task. But remember that no attacker can do damage before they have navigated around the network, identified their assets and worked out how they are going to steal, change or compromise them. The average time that an attacker spends on their target’s network is over 200 days. It’s the highest risk part of an attacker’s operation – and the defender’s best chance of spotting them.
No one will be surprised to see a new wave of cyber-attacks in 2016. But let’s hope that we also hear from those organisations that are getting cyber security “right” – raising cyber security to a senior management level, hiring the right skills, and using technological innovation to stop threats in their tracks.
TalkTalk’s beleaguered CEO Dido Harding warned business leaders at a House of Commons Select Committee meeting this month, “don’t delegate security – it’s a board issue and a business issue.”
If companies have one New Year’s resolution this year, it should surely be this.