The Fifth Frontier- Cyberspace

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.in/opinion/the-fifth-frontier--cyberspace

Remember Captain Kirk talking about “Space, the final frontier”? — To
explore strange new worlds and boldly go where no man has gone before. As
we dawn upon new vistas of technological advancement, the power of the
cyberspace seems limitless. Its sovereignty, however, is under constant
threat. Different technologies are being introduced every day, often
outpacing the ability to properly assess associated risks.

Cyberspace reckons the emergence of war in the fifth domain

In recent times, a fifth domain, cyberspace, has emerged in addition to the
four traditional war domains — land, sea, air and space. Compared to
earlier times, when the scope of war strategies was restricted by borders,
cyberspace wars transcend borders into the virtual world — and the
consequences are just as devastating and real. In fact, it could be
catastrophic — malicious software bringing down military e-mail systems;
security breach in oil refineries and pipelines leading to explosions;
cyber-attacks on power grid servers resulting in widespread black-outs. The
World Economic Forum predicts a 10 percent chance of a major infrastructure
breakdown in the near future, which may cause damage to the global economy
amounting to USD 250 billion[1].

Cybersecurity is becoming board level concern

Organizations have become easy targets of different forms of attack, since
they have been increasingly relying on digitized information and sharing
vast amounts of data across the globe. As a result, every company’s
day-to-day operations, data and intellectual property are at a serious
risk. In a corporate context, a cyber-attack can not only damage the brand
and reputation of the company, it can also result in loss of competitive
advantage, create legal/regulatory non-compliance and cause significant
financial damage.

Various recent events vindicate the adverse outcomes of cyber-attacks and
security breaches. In November 2014, a large media company reported a major
cyber-attack in which social-security numbers of 47,000 of its current and
former employees were leaked; sensitive financial information such as
salaries was published and copies of several yet-to-be-released films were
distributed online. Some well-known financial and e-commerce companies have
also suffered major data breaches. Earlier in 2013, a hoax post brought a
major financial index down by 1 percent within 7 minutes, destroying
billions of dollars in value.

The evolving threat landscape calls for a strategy overhaul

As the level of persistence and sophistication of cyber threats increase,
it is becoming difficult to predict the nature of threats that will emerge
in the next five or 10 years. The only sure way to counter the threat is to
align the organization’s cyber security strategy with its business strategy.

With 17 editions published so far, EY’s Global Information Security Survey
(GISS) [2] is one of the longest running and highly valued surveys of its
kind. EY’s GISS outlines “The Activate-Adapt-Anticipate” approach to
streamline the cyber security journey for organizations across the globe.
Some of the key findings of the survey are highlighted below:

►  Cybersecurity strategy should be led from the top. Currently,
cybersecurity strategy and execution is primarily seen as an IT
responsibility. The survey indicates that nearly 80 percent of CIOs have
the Information Security function reporting directly to them, compared with
just 14 percent reporting directly to the CEO. Organizations need to
involve senior leadership in cybersecurity. Lack of executive buy-in opens
the doors to mistakes and cyber criminals.

►  The first step is to build a solid foundation of cybersecurity.
Organizations are making progress on building the foundations of
cybersecurity — and this progress is important — however, most respondents
report having only a “moderate” level of maturity in their foundations.
Across almost every cybersecurity process, between 35 percent and 45
percent of respondents rated the­mselves “still a lot to improve.”

►  Mix of preventive and detective technologies is a must to combat
cyber-attacks. According to the survey, 57 percent of respondents think
that employees are the most likely source of an attack; 53 percent point to
criminal syndicates; 46 percent point to Hacktivists; and 35 percent think
external contractors working onsite are the most likely source of an
attack. Designing a well-defined and automated Identity and Access
management (IAM) program can help organizations prevent and detect
cyber-attacks.

►  Lack of cybersecurity skills is an important roadblock. While the need
for specialists deepens, lack of specialists is a constant and growing
issue. Also there is a need to build skills in non-technical disciplines to
integrate cybersecurity into the core business. According to the survey, 53
percent of organizations state that lack of skilled resources is one of the
main obstacles that challenge their information security.

►  Potential cost of a cyber-attack can be fatal. Many organizations view
the costs of cybersecurity as considerable. They underestimate the
potential cost of a cyber-attack. Nearly 65 percent of respondents cited
budget constraints as their number one obstacle to delivering value.
Organizations must understand they are under daily attack, the attackers
show no signs of giving up, and they are getting smarter and more targeted.
The next breach could be fatal.

Winning the cyberwar can be an exciting journey

Cyberspace is a challenging technological sphere ready for war and each
organization will need to attack to defend itself better. To do this means
shedding the “victim” mindset of operating in a perpetual state of
uncertainty (and anxiety) about unknown cyber threats. Today’s attackers
have significant funding, are patient and sophisticated and target
vulnerabilities in people, process as well as technology. To be able to
conquer the cyberwar, companies need to build awareness and advanced
capabilities, develop a compelling strategy and install cybersecurity
components throughout the business. Therefore, anticipating cyber-attacks
is the only way to be ahead of cyber criminals.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!