by James McFarlin
Target. Neiman Marcus. eBay. The New York Times. The U.S.
Navy. The Federal Reserve. The list of organizations falling victim to cyber
attacks recently continues to grow, with the number of reported security
incidents rising from 2,989 in 2012 to 3,741 in 2013.
The severity is increasing, too, with the loss of customer
information in some attacks reaching astronomical levels: 110 million accounts
from Target, while eBay compromised up to 145 million customer records.
According to Forbes,
the average losses per incident are also climbing at a rate of 23%
year-over-year, with incident losses exceeding $10 million per occurrence. This
is up 75% from just two years ago.
Due to a combination of factors, including timing, carefully
selected targets, and increasing sophistication, attacks are becoming more successful, not less. These
increases exist in spite of major increases in cyber security spending.
Effective security against cyber attacks is clearly lacking.
Target, for example, had installed a new $1.6 million cyber defense security
system and established 24/7 monitoring of the organization’s networks just
months before its attacks in November 2013. But to no avail.
In the face of such successful breaches, organizations are
increasingly accepting that cyberattacks against their networks will be successful. As related in a
piece here on April 30th, many organizations
are thus shifting their emphasis to cyberattack mitigation and to business
continuity and recovery.
But will new measures be any more effective? Or will they,
too, fail and send the defense line even further back from the beachhead? SunguardAS,
a leading cybersecurity firm, believes an answer may lie in what they term “Cyber
Resilience.”
In the heart of cyber resilience lies an important maxim:
focus cyber defense efforts on protecting those aspects of the organization
where risks to key business operations are the highest.
My version of this advice is for the organization to engage in
a perspective I term “reverse thinking”: instead of starting with cybersecurity
tools and how to deploy them throughout the organization, organizations should identify
critical business assets and work backwards into how those key assets can best
be protected.
This involves accepting that attacks do and will continue to
occur, lessening the focus on stopping such attacks, and understanding that
100% cyber security is a dream.
Once this avenue of thinking is adopted, cybersecurity
efforts will no longer be focused on the latest defense tools but on how
client, reputation, financial, and operational impact to the organization –
the important things – can be minimized.
No comments:
Post a Comment