Cyber-security is dead: Long live digital security
March 25, 2019
Mark Hughes of DXC Technology argues that cyber-security is an out-dated concept and that organisations need a holistic approach that addresses the wider digital risks that organisations face.
Businesses in the UK are facing more cyber threats than ever before, according to the National Crime Agency. Digital transformation efforts have also made it easier for hackers to gain access due to more systems being accessible online.
More worryingly, attacks aren’t necessarily about stealing information anymore. The weaponisation of availability is becoming a key tactic, where the very aim of the hacker is to take an organisation offline and make it impossible for them to conduct their business. This has led to huge ransomware attacks — who can forget WannaCry or NotPetya — which devastated public sector organisations such as the NHS, as well as many other global businesses?
Traditional cyber defences aren’t enough to protect organisations from this kind of threat. A new approach is needed where systems are secure by design — this is ‘digital security’ — and it offers far more protection against attack. Ensuring that security is built into every system and application that a business develops increases resilience and boosts protection from ransomware, by reducing the attack surface available to hackers.
Achieving digital security will require a shift within many organisations, who up until now have focussed on securing endpoints, and typically added security solutions to applications and platforms after they have been developed. But the consequences of not adopting digital security are too serious for it to be treated as an afterthought.
Hand in hand with digital transformation
Digital transformation (and increased connectivity) is a huge focus for many organisations. It is helping them to become more agile and efficient, and to provide a better customer experience.
However, could it also be increasing the likelihood of falling victim to a cyber-attack? A new app or new website could be great for customers. But if it’s poorly secured, hackers could use it as a gateway into the company network and gain access to other systems through apps that might have otherwise been considered totally secure. To mitigate this, organisations must consider how they can secure their entire ecosystem — while transforming it at the same time.
Rather than seeing security as a mere ‘bolt-on’ at the end of a project, organisations must ensure any digital initiative — such as a new mobile application or employee portal — has the security team involved from the get-go. In larger enterprises, this could represent a big change in how development teams work.
Often, as a result of organisational structure or legacy IT, large companies choose to create special digital units responsible for ensuring that new systems can function with old legacy IT —who then work closely with the development teams. We now need a similar approach to security, where cyber-security teams are embedded in development teams — so the app or new initiative functions well and is also properly secured.
Simplification is key to digital security
How teams secure apps will have other benefits as well. One of the main challenges to keeping a large enterprise safe is the multitude of tools that are currently used.
Many organisations use tens of security tools, if not more, resulting in a barrage of alerts and notifications; making it hard to see real security threats for false alarms. The result is that this array of security solutions only helps security teams identify an attack once it has taken place, rather than warning that one is in progress.
Unfortunately, many organisations see the process of improving security as simply buying additional tools or services, but the organisations then fail to implement the new tools or services uniformly across the business. Applying digital security would avoid the scenario where security tools are applied after development, and would require fewer point solutions, because everything is designed to be secure to begin with.
With fewer tools, it is easier to monitor their status and identify threats as they happen. This also simplifies every other link in the chain. For instance, managing access to data and applications is more successful if the same system is used across an entire organisation, because it’s harder to hide unusual activity — such as a malicious user logging-in at odd times.
Additionally, the process of patching business-critical systems can be simplified through automation, enabled by security applications applied throughout the whole organisation. This leaves security teams free to proactively identify threats rather than scurrying around trying to patch everything manually themselves. The key thing to remember is that we can make the orchestration of cyber-security systems easier and more complete, by integrating fewer tools, better, from the outset.
With the stakes having never been higher, businesses can’t afford to stick with outdated cyber-security approaches and must move away from an emphasis on securing endpoints to instead focus on digital security. Hackers are looking to leverage any potential vulnerability to gain access to systems or bring an entire organisation to its knees.
To ensure they stand the best chance possible of avoiding such an attack, businesses should build systems — and ensure that any digital transformation efforts — have security as a fundamental part of their design. Implementing core cyber-security practices uniformly and effectively during the development of all digital systems will increase resilience against cyber-attacks of the future.
Mark Hughes is Senior Vice President and General Manager, Security, at DXC Technology.
DXC Technology is a leading independent, end-to-end IT services company enabling digital transformation by modernizing mainstream IT, and by deploying digital solutions at scale to produce better business outcomes.
Image under licence from iStockPhoto.com, credit PeopleImages
Security researcher Bob Diachenko along with a team from Comparitech recently discovered a publicly-available database that contained nearly 188 million personal data records ranging from people's names, email addresses, dates …