Discover PerformanceHP Software's community for IT leaders // January 2014
Fighting cyber crime with preparation and personnel
Larry Ponemon discusses the nature of today’s sophisticated adversaries and the best practices of organizations that manage to keep the business impact low.
Today’s cybercriminals are smarter and better funded than ever. No wonder the cost to defend our organizations against cyber crime just keeps going up. In the four years since IT research firm the Ponemon Institute first released its annual “Cost of Cyber Crime Study,” the average annualized cost of cyber crime has increased 78 percent.
In a world where cyber crime syndicates target specific corporations in an effort to hamstring national economies, what can organizations reasonably do to control the cost of enterprise security?
Chairman and founder Larry Ponemon sat down with us to share his thoughts on the spiraling cost of cyber crime defense. In this second of two articles, Ponemon shares why it’s an uphill battle, plus the best practices of security leaders. (Part one, in our previous issue, covered Ponemon’s warnings about the trajectory of rising security costs.)
Q: HP Enterprise Security SVP Art Gilliland has spoken about the existence of a cyber crime marketplace. Do you agree that specialization is contributing to the success of criminals?
Larry Ponemon: Art is absolutely correct. If you go back maybe a decade or so, the bad guy was probably a high school or college kid trying to prove his muscle by getting into the Pentagon or confidential systems. Now, we’re dealing with cyber syndicates, and these are run like business organizations, where you have management and technicians and all sorts of folks whose full-time job is to infiltrate organizations and steal information or disrupt business.
These organizations hire very smart people, people with more than one PhD in some cases, and all they do is work on crime. They have the ability to get into just about any system, even those that are supposedly fail-safe or nearly perfect.
We’re also starting to see more nation-sponsored attacks. Some countries simply turn a blind eye to their crime syndicates, but there are others, like China, where they are training an army of people to do cyber crime. The people they choose have very high IQs and great math and computer science skills. These attacks tend to be extremely targeted: they’re looking to get inside a specific organization because they realize that that organization has something very valuable.
One technique they use is constantly probing for the soft underbelly of a company’s technology infrastructure. The companies most at risk are critical infrastructure companies such as utilities, health and pharmaceutical, communication, and even major financial institutions, where, if you attack them and bring them down, you basically can bring down an economy. Countries see this as the equivalent of a major weapon, on par with an atomic or nuclear weapon. That same mentality is being applied here.
Q: In your research, business disruption was found to be one of the higher costs of cyber crime defense. What can companies do to prepare on that front?
LP: Disruption happens. It happens all the time, for lots of reasons, not just cyber attacks, but we find that IT downtime can be reduced pretty significantly by being prepared and having a Plan B.
When you think about disruption, most people think about an IT event in which the data center becomes “turned off,” if you will, and it can’t meet its mission. In reality, the event may not be that extreme. It may be a rack or one server that goes down, and it may be down for just a few minutes.
Whether it’s a partial disruption or a full disruption, you need redundant procedures that enable you to keep on serving your customers or your end users. From their point of view, maybe things slow down a little bit during an event, but the goal is that it doesn’t actually put you out of business completely.
So if you’re an e-commerce company, you must try to avoid the situation where customers can’t consummate a transaction. For customers, even getting a warning that they’ve never seen before, or finding that things just don’t feel right, creates a problem that could be much more severe. People may not be entirely loyal. If a website is not giving what they need, or if they believe there may be security issues, they may seek out a competitor.
You need a strong Plan B so that, from the end user’s point of view, it looks like there’s just maybe a little slow-down. Preventing customers from seeing the actual disruption is an important business and technology objective.
There’s also the issue of disruption to the business process, not just the IT impact. Those are more difficult to deal with, because you can’t necessarily have a Plan B—a separate business process. What you’re trying to avoid, ultimately, is idle time or loss of revenue because people are prevented from doing their jobs.
There are procedures that can reduce the disruption—you just have to have the right programs in place and redundancies. Our research has found that the more highly placed business continuity management is in an organization, the better equipped it is to deal not just with IT disruptions, but disruptions to operating processes that affect the business negatively.
Q: Is it reasonable to think of your business continuity spending as an investment in security as well, then?
LP: Yes. A lot of organizations realize that business continuity and security are inextricably linked. These organizations believe that they’re best served by putting business continuity and security under one roof, rather than two disjointed groups that operate in silos. Working in tandem becomes a really effective way of dealing with disruption overall.
I think it’s smart because one of the ugly consequences of security failure is business disruption, not just technology disruption. So having them tied leads to a much better outcome.
Q: What are the core characteristics of an organization with very effective security?
LP: You need the right mix of things: personnel, technology, feedback, and governance.
Having the right personnel is a very important first step. The best security mavens—the gurus of security—have this instinct where they know where to look and how to do things without getting sidetracked by false leads. A lot of organizations don’t fully appreciate that; they think that they can take a person without that skill set and, with very little training, make them a security expert.
The second issue is choosing the right technologies. We’re starting to see a trend toward convergence of different point solutions. It’s a more enterprise orientation to security. Of particular value are technologies that help you identify different characteristics of security problems and put that information into a form that gives actionable intelligence—information that can be used to make decisions.
The problem with intelligence is that some of it gets old pretty quickly. It becomes stale after a couple of hours. So you have to build your system in real time, so you can figure out what to do right now to solve a problem.
Another issue for creating a strong security posture is some form of feedback. Companies that have a stronger security posture also have ways of providing feedback to the individuals in the security area, as well as feedback to senior level executives on the success or lack of success of the security function.
And finally, governance. We’re moving pretty quickly away from central IT. End users are responsible for making sure that they’re protecting data and their devices are not infected with viruses, and so on. To make that work, you have to go behind the scenes to make sure they’re doing what they need to do at the device or end point level.
That requires good governance, and good governance means you have to involve folks who are not your normal cast of characters: people in the business unit, the user community, people in sales and marketing, communications, manufacturing, logistics, and so on. You need many voices, and people have to agree to work together, which is not that easy to do. But I think that’s the new reality for many CISOs.
Q: How much might a company be able to reduce their cost to defend their organization?
LP: Complexity is the enemy of security. If you can reduce complexity, it will help you prioritize and choose the battles that are necessary to fight. That can help reduce costs, though never to zero. Security costs money, and there will always be some imperfection, even if you’re nearly perfect.