Why Isn’t Cyber Security Secure?

by James McFarlin

Target. Neiman Marcus. eBay. The New York Times. The U.S. Navy. The Federal Reserve. The list of organizations falling victim to cyber attacks recently continues to grow, with the number of reported security incidents rising from 2,989 in 2012 to 3,741 in 2013.

The severity is increasing, too, with the loss of customer information in some attacks reaching astronomical levels: 110 million accounts from Target, while eBay compromised up to 145 million customer records.

According to Forbes, the average losses per incident are also climbing at a rate of 23% year-over-year, with incident losses exceeding $10 million per occurrence. This is up 75% from just two years ago.

Due to a combination of factors, including timing, carefully selected targets, and increasing sophistication, attacks are becoming more successful, not less. These increases exist in spite of major increases in cyber security spending.

Effective security against cyber attacks is clearly lacking. Target, for example, had installed a new $1.6 million cyber defense security system and established 24/7 monitoring of the organization’s networks just months before its attacks in November 2013. But to no avail.

In the face of such successful breaches, organizations are increasingly accepting that cyberattacks against their networks will be successful. As related in a piece here on April 30th, many organizations are thus shifting their emphasis to cyberattack mitigation and to business continuity and recovery.

But will new measures be any more effective? Or will they, too, fail and send the defense line even further back from the beachhead? SunguardAS, a leading cybersecurity firm, believes an answer may lie in what they term “Cyber Resilience.”

In the heart of cyber resilience lies an important maxim: focus cyber defense efforts on protecting those aspects of the organization where risks to key business operations are the highest.

My version of this advice is for the organization to engage in a perspective I term “reverse thinking”: instead of starting with cybersecurity tools and how to deploy them throughout the organization, organizations should identify critical business assets and work backwards into how those key assets can best be protected.

This involves accepting that attacks do and will continue to occur, lessening the focus on stopping such attacks, and understanding that 100% cyber security is a dream. 

Once this avenue of thinking is adopted, cybersecurity efforts will no longer be focused on the latest defense tools but on how client, reputation, financial, and operational impact to the organization ­– the important things – can be minimized.

("Unlocked Padlock In Computer Key" by Stuart Miles/FreeDigitalPhotos.net)