Tuesday 16 August 2016 5:27 am

If security breaches are inevitable, what are businesses to do?

"It's not if, but when your company will be breached.” This is an oft-repeated line in the cyber security industry, and it puts business executives in a catch 22 position. They care about security and know how important it is, but the message they are hearing is: “the hackers will always win”. Bosses are left wondering whether they are spending money on a problem they can’t solve.

If security breaches are inevitable, then it’s not about if or when hackers will get through your defences. Rather, it’s about qualifying whether the cyber risk you’re exposed to is acceptable, and if it’s not, figuring out what to do about it.

As a result, many firms are taking steps to understand their business assets, work out where they are vulnerable, and measure the effectiveness of their security. Here are some tips for guarding against attacks.

Understand moving parts

Lots of strategic security advice begins with: understand your “crown jewels” or your most valuable business assets. However, once you’ve identified these, you’ll discover that they rely on an ecosystem of moving parts: people, their access rights, applications, data, devices and the network, as well as partners, suppliers and customers.

Read more: Requests for cyber crime information up threefold since 2013

It is impossible to get a reliable view of this ecosystem without continuous, data-driven analysis. Manual assessments only deliver a partial, point in time snapshot.

Think beyond individual flaws

Vulnerabilities are typically thought of as individual weaknesses in applications which an attacker can exploit. However, from a risk perspective, a vulnerability needs to be understood in terms of weaknesses, connectedness and dependencies across the ecosystem which supports a business asset.

You can’t measure risk exposure accurately without understanding how these factors combine to give threats a path to their target. Technologies like vulnerability scanners and services like penetration tests can find lots of single vulnerabilities or paths that attackers can take. But they can’t map your firm’s own digital terrain to show you where it’s most critical to take action, or the action you should take to reduce risk most efficiently across your environment. Your data can.

Measure your defences as a whole

Joining up all the information and metrics from individual technologies to measure security success is a real challenge.

External reviews of security defences are typically either broad but not deep – assessing whether policy is being followed, but not how effective it is – or deep but siloed – assessing a single technical area. By bringing the relevant data into a single location, security can gain the meaningful, timely and accurate insights they need to know how effective their defences are at protecting their business from threats, and where to prioritise improvements.

Read more: TalkTalk boss calls for firms to be made to report all cyber attacks

Today, the problem of cyber seems big and complex. Effective use of data can simplify, automate and advance how that problem is solved. For a sense of the benefits and opportunities that analysing data can offer in cyber security, just look at marketing departments who’ve embraced a data-driven approach to improve customer communication and grow market share.

When it comes to using data to improve security and manage risk, the only question to ask in today’s fast moving business and technology environment is: what are we waiting for?