JP Morgan Chase. Target. Sony. Each has been part of the growing number of cyber-attacks against private companies around the world in recent years. In the latter two cases, CEOs were forced to resign in the wake of the breach. Attacks are growing more sophisticated and more damaging, targeting what companies value the most: their customer data, their intellectual property, and their reputations.
What these attacks – together with breaches to defense, law-enforcement, and military-contractor networks – reveal is that our cyber-security efforts over the last two decades have largely failed, and fixing this will require the attention not only of security officers and IT teams, but also of boards and CEOs.
Companies need to take a new approach. They can do so by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what’s to come.
Unfortunately, this mindset is still too rare. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they’ve ever been. Two trends account for this: the rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries…..
Senetas high assurance security comments
The HBR article highlights the need for changes in the way organisations think about data security. The author highlights well the need for new thinking. Evidence shows data security must now be seen as part of an organisation’s overall business strategy.
However, international security analysts also report that even ‘the basics’ of many organisations’ approaches to data security are cause for concern. For example while governments and defence organisations in more than 30 countries have developed comprehensive security strategies for about 20 years, few commercial organisations seem to adopt their recommended approaches – to both breach prevention and ultimately data protection.
Prevention addresses the threats of data breaches, while protection requires certified encryption to ensure a successful breach only provides the criminal with meaningless bits and bytes. Similarly government organisations typically use encryption to ensure sensitive and/or valuable data transmitted across high-speed networks are protected when prevention technologies fail.
But in recent years, despite increasing cyber-attacks on data networks, information security experts and researches regularly report commercial organisations’ continuing security failings. Security experts frequently comment: “…they under-estimate the threats and under-invest in data protection…”
As organisations increasingly adopt Cloud and data centre services; introduce CCTV networks and share Big Data; they significantly increase their exposure to cyber-attacks and privacy breaches. They become prime targets. The consequences may be catastrophic – lost intellectual property; customer defection through lost brand integrity; identity theft and financial costs including regulatory penalties. The only effective protection of network transmitted data is to ensure certified encryption of all that is sensitive and valuable as it is transmitted across networks