How Much Security Is Enough?
By Mark Vos, Chief Information Security Officer, Iress
Cybersecurity has become a significant and increasing cost of doing business, but by striving for a “best fit” solution, it can be a business enabler.
As a security and risk professional, I am often asked: “how much security is enough?” It seems a simple enough question, but it manages to trip up so many people. So what is the right answer? Is there a nice sound bite that one can give? Well, not really.
In a dynamic environment of increasing security threats, firms have a big challenge on their hands to ensure they continue to:
- Get their security governance structure right and clearly articulate roles and responsibilities
- Obtain executive level buy-in and sponsorship
- Base security investments on risk
- Use security as a business enabler, not just a cost
- Establish a security awareness programme
- Continue to assess and adjust their security capabilities to changes in the environment
It is certainly complicated. Barely a day passes without a press report relating to a security issue, and all financial services organisations now face greater security threats to their people, assets and operations from such diverse sources as:
- Fraud and financial crime (both internal and external)
- Organised crime, including money laundering
- Information security threats from hackers and computer viruses
The level of complexity involved in managing such a diversity of threats means that cybersecurity has become a significant and increasing cost of doing business. The challenge is to develop a holistic approach to security management that responds to each of these demands in a coordinated, cost effective, and efficient way.
Where are firms focusing their InfoSec investment?
Our larger clients are spending millions in transforming their security functions and improving their security management practices across a range of areas, including:
- Risk management
- Information security
- Fraud and investigations
- Anti-money laundering
- Physical security
- Business continuity
- Crisis management.
For many, this investment represents a significant shift away from the manner in which they have traditionally managed security. It is also placing huge demands on their security teams to develop new management skills, and places demand on their partners and service providers.
The best fit model
It is becoming more common for organisations to strive for a “best fit” solution as opposed to obtaining “best practice” in every security matter. It’s about being commercial and pragmatic in the way security is managed. Conforming to best practice is an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the expenditure required to get there. A best fit model is about understanding what the risks are, and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying the best practice processes regardless of the associated risk.
So how much security is enough? A good place to start is to identify the top risks your business is likely to face and find commercially pragmatic solutions that remediate those risks. And that’s exactly what firms must be focused on doing right now Global-scale cyberattacks such as the Wannacry ransomware attack and, more recently, the huge malware attack that brought chaos to the Ukraine before spreading internationally, can inflict real damage on an organisation, both in its ability to function and its reputation.
They are also a big reminder of the risks we all face – but let’s keep things in perspective. The reality is, you’re far more likely to suffer an internal security breach than from an external threat. According to a recent PWC report, half of the worst cybersecurity incidents were due to inadvertent human error.
When it comes to information security, people and process are critical. You can have the best patch management practices in the world, but if your employees aren’t being vigilant, you’re wide open to many different types of attack. The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness.
What are you up against?
However good your defences, you need to work on the assumption that malware will get through from time-to-time. At that point it will be your diligence and awareness that makes the difference. So what sort of nasties are you up against?
- Bots and Zombies
- Trojan horse
What these do is exploit vulnerabilities – either those of a system or an individual. Every 40 seconds, a company is hit with ransomware (in the first quarter, 2016 it was every two minutes).
By far the most common delivery vehicles for ransomware are attachments sent directly to your users in increasingly believable emails from seemingly trustworthy sources. A review by IBM Security found that the number of ransomware-infected emails sent this year has already increased 6,000% compared with 2016.
Cyber criminals are looking for an easy target and it’s your employees they are more likely to target, rather than your software. Humans have now moved ahead of machines as the top target for cyber criminals.
Awareness and breaking bad habits remain the biggest challenges when it comes to fighting phishing. A 2016 study on IT security infrastructure by the Friedrich-Alexander University, reported that 78% of respondents knew about the risk of unknown links in emails, yet they click anyway! So what can you do?
Don’t leave InfoSec to the IT department
Ten years ago, the job title “Information Security Analyst” didn’t exist. Today, there is a genuine worldwide shortage of qualified and experienced InfoSec specialists. They are in high demand, and with good reason. As the cyber threat grows and evolves, so must your cyber defence resources.
Three years ago, we set up a dedicated global information security team tasked with protecting our environment and those of our clients’. We recruited specialist subject matter experts who could educate others and keep up with ever-evolving cyber threats and techniques. The team was integrated into the business, not set apart as a traffic cop.
It’s their responsibility to perform and communicate information security within the business and make it everyone else’s responsibility too. It quickly became obvious that if we were going to do this successfully, we needed to take a client centric approach to everything we did. That meant:
- Defining metrics of the effectiveness of information security and providing that to the board to get their buy-in on commensurate information security investment
- Having a team that could influence colleagues and internal stakeholders
- Communicating information security in a clear and effective manner
- Focusing on the company culture, driving the importance of protecting client data, and other sensitive data