The Global Economy is in the grip of a digital fraud epidemic running at a current estimated $400 billion per year, with expectation that it will hit $2 Trillion by the year 1919. To date this has not only impacted unaware end users, but also big name brands such as Talk Talk, Yahoo, Tesco Bank, eBay, Facebook, PayPal and even Government Department’s all falling victim to what is perceived to be a new Landscape of Cyber Threats. However, this driven by corporate failings, and what looks to be a lacklustre approach to delivering a robust cyber security model, organization’s must therefore now take notice of the broadening agenda of Cyber Risks, and be aware that regulatory pressures on businesses are set to increase with the introduction of the new US and EU Data Regulations and Laws – which will drive even more robust compliance mandatory regulations to protect the end user. New EU legislation proposes significant fines for companies who do not comply with the proposed regulation, with a potential penalty of up to 5% of annual worldwide turnover [or €100m]. With the possibility for individuals and associations, acting in the public interest, to bring claims for non-compliance. For many businesses, if adopted, these new obligations will require a significant shift in their approach to cyber security and data protection measures, policies and procedures, with training of staff and provision of additional resource, going further than the current model of, what can be tick-box security conventions when it comes to engaging Cyber Risk.
To underpin the scale of exposure, it was reported in the UK press in February 2017 that more than half the on-line companies in business today are ‘easy meat’ for on-line hackers, 30% of which who have a credible plan for engaging a cyber-attack. Add to this that 53% of them were branded as ‘Cyber Novices’, it is not surprising that we are seeing the scoring cybercrime statistics entering the press on an almost daily basis. And this I can well believe as first hand, I have seen such poor security controls in place all too often.
The problem is that the current set of threats are so diverse, and complex it takes much more than a simple Risk Assessment approach, or the leverage of the good-old ISO/IEC 27001 to accommodate what may be considered as adequate security. The question is, just can be done to even start to understand the threats and the potential mitigations to maintain security of our assets?
Another potential issue I have observed is the understanding of what ‘Cyber Security’ really is – this driven home by an on-line conversation which saw it as an evolved state of ‘Information Security’. Another opinion what that Cyber is a subset of Infosec. OK, so I can see the chain of thought, but remember, Information Security can be very focused on a known known [information] whereas the implication of Cyber is at a much higher level up the food chain, needing to take in everything from back-to-basics [a term I have used for the last 4 years] aspects of unknown unknown potentials of insecurity, right through to big picture stuff like proactive/reactive Threat Intelligence and OSINT [Open Source Intelligence] capabilities.
The ultimate bottom line is – if we have struggled along the various paths of Infosec, or Information Security for the past 10 years or so – time has arrived to wake up and smell that coffee. Cyber it a very wide subject, and in fact as a simple definition, ‘it encompasses everything technological in whatever form it manifests in’. It is time to shed the opinion that Compliance, Governance, and a roll out of the PCI-DSS Checklist will suffice to deliver a song to sing in the Security Mission meetings. It is time to look to those who wish us cyber harm, think as they do, and strive to counter the new age of technical adversaries with a technical-sword and conjoined mindset, and not a pencil. Times have changed, and so must the Security Professionals if they are to deliver against the real-world threats we now all face.