The world today

James Hatch, Director of Cyber Services, BAE Systems Applied Intelligence, believes there are powerful forces changing the threat landscape and creating new challenges for security managers and CISOs. The way we think about cyber security needs to change.

Security in the digital world

In the digital world, physical distance becomes irrelevant. If you’re defending a business or organisation in a highly connected world, you need to be able to understand and deal with threats from all over the globe, by different actors with various motivations. Lines of responsibility also become blurred – in a world without boundaries, who makes the rules and enforces them?

With so much uncertainty, it’s unsurprising that most businesses and organisations take an ‘inside-out’ approach to cyber defence, focusing on themselves and the things they can control. However, this can leave them blind to the threats lurking beyond their immediate environment.

The criminal fraternity that we seek to protect ourselves against is highly connected – information, ideas and techniques are shared quickly and adapted to target a huge number of organisations across the globe. Unlike the businesses they target, cyber criminals care little for geographies or sectors.

Three levels of attacks

Cyber criminals typically target us in three ways. To use a simple analogy, they start by looking for open windows through which they can enter undetected. It requires minimal effort and poses very little risk to the criminals.

If all the windows are locked, they will have to try a more sophisticated method and will knock on the front door and try to trick their way in. Organisations are increasingly subject to these types of targeted attacks and are using active monitoring and response to address them.

As we get better at defending our windows and doors, criminals are forced to undertake more difficult and costly methods. The third option available to them is to target the very foundations on which the house is built, by subverting the technology on which our business and security depends. Because of the level of sophistication required, these attacks have so far tended to be national security issues, but we should expect to see the proliferation of these techniques as we have with others.

There is a lot of inconsistency in terms of how we defend ourselves against these attacks. We still see businesses struggle to balance priorities successfully – either missing some of the basics because they are distracted by complicated security technology or lacking the capacity to defend against targeted attacks because they are too busy running around closing windows.

Make your voice heard

Let us know what you think about the issues facing cyber security professionals.

Threat is a constant

Cyber criminals aren’t going to stop trying or adapting their techniques. In the next few years the volume of threats, against which businesses and organisations will have to defend themselves, will continue to rise considerably and evolve.

The industrialisation of crime

In large part this is down to the industrialisation of cyber crime. Criminals no longer need to be adept at cyber techniques to carry out attacks. Increasingly, cyber criminals are selling their expertise to the highest bidder and turning cyber crime into a service. This new and significant criminal fraternity is lying in wait for information to become compromised. When it is, it has the capability to commit large-scale, sophisticated crime.

We’ve also reached a tipping point. Thanks to cloud computing, more of the information that matters most to businesses and organisations exists outside of that organisation’s four walls rather than inside it. To go back to the earlier analogy, our fixation on using technology and experts to close windows is misplaced if most of the silverware has been moved to a warehouse on the other side of town.

…and it’s accelerating

At the same time, the number of points of vulnerability through which criminals can carry out an attack is growing considerably. The opportunities created by the Internet of Things (IoT) are massive and will significantly change the way we live and work. But without some regulation and basic security principles in place we risk being the architects of our own downfall.

The IoT is a prime example of our wider attitude to technology and digital services. In most cases, economic incentives lead developers to prioritise speed to market and customer experience. Security is, at best, a secondary consideration.

We call this a good persona bias – technologies and digital services are designed with the assumption that the person controlling their use is doing so with good intentions. Security tends to mitigate against the potential misuse by a bad persona, but this usually happens later on in the process rather than being built into the design. The focus is on how to create the best experience for the customer, rather than the most secure.

As well as creating a larger threat surface area, we’re also likely to see criminals’ speed of operation outpace human security management and operations. A degree of automation already exists through automated hacking in which criminals use bots to find and hijack vulnerable servers. Automation presents as many opportunities to criminals as it does businesses and we should expect to see it incorporate increasing levels of intelligence. Furthermore, a security breach could spread further and faster as business and society become more automated.

Responding to a changing landscape

We are making giant leaps forward in our approach to cyber defence. Our understanding of the threat landscape, the various actors and the techniques they use to target businesses and organisations has never been greater. Venture capital and competition are driving a high level of technical innovation. And good quality guidance and information sharing forums are increasingly accessible.

But the threat landscape we face is constantly changing. It is a dynamic environment where every measure we put in place has a countermeasure. The threat to businesses, governments and society is constantly evolving as cyber criminals seek to create and exploit new vulnerabilities.

Foreword

Julian Cracknell, Managing Director, BAE Systems Applied Intelligence, says it’s time to move on from the age of secrecy. To meet the challenges of our highly-connected world, we have to stop giving cybersecurity the silent treatment.

James Sullivan, Cyber Programme Lead, Royal United Services Institute (RUSI), Andrzej Kawalec, CTO and Head of Strategy and Innovation, Vodafone, and Professor Alan Woodward, Surrey University Centre for Cyber Security, look at redefining roles.

Become part of The Intelligence Network, a global community in the fight against cyber crime. Sign up to find out more, receive updates on our progress, and get on the guest list for exclusive events.

Alternatively, benefit from the latest cyber threat insights and updates from BAE Systems.

Join now Latest insights

If you would like to know more and want to get in touch, please email:

theintelligencenetwork@baesystems.com

Visit our main website