The new frontier for cyber security is that there is no frontier − the concept itself is outmoded. CIOs and CISOs need to come to terms with the fact that they must protect a vastly expanded attack surface that exists in a threat landscape of exceptional complexity and in a state of constant flux.
On the plus side, though, human ingenuity responds superbly to challenges. However, to be ingenious, we first need to understand the nature of the challenges.
Two major trends underlie the changes that are redefining cyber security.
The first of these is the normalisation of the work-from-anywhere (WFA) ethos. Enabled by increasingly reliable/affordable connectivity, powerful mobile devices and a globalised business environment, and accelerated by the COVID-19 lockdowns, the concept of working from outside of the corporate network looks like it has become permanent.
WFA has led to significant productivity gains in many sectors and is also proving to be a tool for achieving a better work/life balance, the latter something much valued by those with skills in high demand.
There was a time when the most serious hacking attempts were expensive to undertake, now they are relatively cheap.
At the same time, too, WFA means companies can work better with business partners, and respond more quickly to competitors in different time zones.
The consequence of WFA, of course, is that the corporate firewall, while still vital, is no longer the sole or even the main line of defence.
Cyber crime for all!
The second big trend is that pre-made attack tools are now becoming available on the Dark Web. In essence, this means hacking-as-a-service is now available to those who know where to look.
The implications are far-reaching. There was a time when the most serious hacking attempts were expensive to undertake, now they are relatively cheap.
Moreover, previously attacks were targeted, now they are broadcast widely − something I’ve heard described as “spray and pray”. The bottom line is the number of attacks is growing, as is their ferocity.
Smaller organisations, which may have taken comfort from the fact they have shallow pockets, will now increasingly find themselves subjected to these random attack bursts.
Larger organisations will likely have long accepted they are tempting targets and will have put security best practices in place. These would include compartmentalising sensitive data to reduce the impact of any successful attack, and having robust and frequently tested recovery strategies in place.
It goes without saying that smaller organisations are much less likely to have such measures in place and would thus be highly-vulnerable.
Risk becomes a business issue
One of the most interesting − and sobering − conclusions about cyber security comes from Gartner: by 2025, 60% of organisations will use cyber security risk as a determinant in conducting third-party business transactions and engagements.
In other words, a company’s ability to enter transactive relationships with customers, suppliers and governments will increasingly be determined by how effective its security posture is judged in real-time.
A parallel development is the headlong digitalisation of business, which includes growing automation, the latter driven by the rapid development of artificial intelligence.
Naturally, as businesses become more dependent on technology − technology that is always changing − the more vulnerable they are to cyber attacks. Each new technology is a new opportunity for those who wish to do the organisation harm.
The threats are real, and they are legion. So how can we counter them, using the much-vaunted human ingenuity I referred to earlier?
Security moves from the edge to the endpoint. As WFA becomes normalised, the security focus must be the endpoints − the mobile devices − used by employees.
Here we need to consider a mix of technology and behavioural changes to make these endpoints less vulnerable. E-mail remains a particular vulnerability, thanks to the persistent naivete of users.
On the technology front, advanced threat detection tools can be used to filter e-mails and web traffic that go through the endpoint. These tools detect attachments and links which are then exploded in a sandbox environment to test definitively whether they are malicious or not.
Early generations of these tools simply compared files against databases of known malware, an approach that is much less effective because it cannot cope with new threats.
In general, technology moves onto the endpoint, and encryption will be used to protect data in the event of a successful attack. Endpoints will thus become smarter and smarter.
On the behavioural front, advanced threat protection must be complemented with ongoing, effective training to keep users sensitised about their role in preventing phishing.
This is easier said than done as phishing and similar attacks become ever more sophisticated. Technology can also be used to prompt users to be more suspicious of e-mails; for example, by providing them with much more information about senders to prevent the growing scourge of impersonation.
Platform vendors join the fray
The providers of the platforms on which WFA typically occurs, such as Microsoft 365, have a view of the evolving threat landscape like nobody else because of the breadth of their customer base.
One of the most heartening developments is that these vendors are beginning to package different levels of security protection based on this knowledge and their virtually unlimited technology resources − a powerful ally for organisations of all sizes.
Move to zero trust
The zero trust approach means no machine attempting to log into a corporate network is automatically trusted and must be authenticated for each corporate resource it attempts to access.
This process will involve assessing not only the credentials of the user but also the security status of his or her device.
Another of Gartner’s predictions is that 60% of organisations will embrace zero trust as a starting point for security, but less than 50% will realise the benefits, given that it requires a significant mindshift.
It’s worth highlighting the fact that artificial intelligence’s growing sophistication is what makes most of this possible.
Given the volume of e-mails, for example, the exploding of links and attachments in a sandbox environment is something that must be automated – speed is vital, otherwise, productivity will be negatively affected.
So, too, is the ability to build up user-profile and location data to identify impersonation – this is reliant on artificial intelligence.
One thing is certain: we cannot continue to think about cyber security in the same way. Even more importantly, we will have to keep adapting our strategies into the future.