With a broader frontline to defend and increasingly sophisticated actors, businesses are finding strength in simplicity.
With the rise of cloud, workforce mobility, artificial intelligence and the internet of things, the front line of cyber-defence is significantly broader today than it was even five years ago. At the same time, both state-sponsored and profit-driven actors are better resourced than at any point in history. Attack vectors can shift year to year, and even month to month – exploiting new vulnerabilities before the organisation has even understood its own weaknesses.
According to Symantec’s latest Internet Security Threat Report, formjacking emerged as the breakthrough threat of 2018, as hackers became increasingly skilful at infecting e-commerce sites and skimming consumers’ payment information. The technique exploits both direct web vulnerabilities and those of third-party widgets or plugin providers.
This demonstrates how pragmatic and savvy attackers have become. They are fully able to attack new weaknesses, piling in to exploit short-term revenue opportunities while simultaneously staying committed to the long game: prodding and probing for months or years at a time, for a drip-feed of information until the moment when they can make a huge financial profit.
As the threat landscape has intensified, alongside the addition of vectors such as the cloud, defences have proliferated. The cat-and-mouse game of attacker and attacked has ushered in an era of rapid – though largely reactive – innovation, focused on delivering specific solutions to new security challenges. But over time, the sheer quantity of these solutions has become untenable for security, procurement and compliance teams to keep pace with. Equally problematic is that this struggle to keep up places has increased strain on talent, driving up salaries and the total cost of ownership, and decreasing job satisfaction.
The era of platform security
As threats mount, organisations seek to refocus their finite human resources more on detecting and defending against attacks, and less on researching, implementing and managing a patchwork of vendors that can often run into the hundreds.
This macro-level refocusing is underpinning a push towards simplicity and integration across the industry: fewer vendors, less complexity, and more centralised management. With this shift, the cyber-security industry has entered the platform era.
Security professionals now demand integration, incorporating hardened, up-to-date tools paired with centralised management and shared telemetry in all layers of defence. The industry analyst community reflects this shift, with more and more reports focusing on integrated platforms – such as The Forrester Wave™: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.
Security professionals’ drive to consolidate to an integrated cyber-defence platform is not driven solely by the need to simplify technical operations. Right up to board level, organisations are increasingly concerned with legislation such as GDPR, which requires robust data security measures, and threatens serious penalties in cases of non-compliance.
In addition, the EU’s NIS Directive applies to operators of essential services (OES) – more commonly understood as organisations that form part of the critical national infrastructure, such as energy, transport and health companies, and digital service providers such as cloud services. The NIS Directive requires technical and organisational measures to manage risks posed to network and information systems, and demands concrete steps are taken to prevent and minimise security incidents. As with GDPR, failure to comply can result in significant fines.
With unity comes strength
A patchwork approach to cyber-defence will only drive vulnerability and overburden human resources, as innovations in cloud, IoT and workforce mobility continue to demand more of already stretched security teams. Companies must address the complexity within their own cyber-defence structures and adopt a more strategic approach. This means rebalancing reactive efforts by investing more time, energy and resources into defining and executing against a cyber-security vision.
There are many approaches for cyber-security professionals to consider, but perhaps the four most fundamental are:
- Maturing and consolidating cyber-defences, automating key processes and compliance
- Educating the business on the threat landscape, and demonstrating how cyber-security can become a business and transformation enabler
- Being both pragmatic and bias-conscious in your efforts to overcome the skills gap; recruiting and upskilling a diverse range of talent to tackle the diverse challenges we face
- Redefine the risk posture, securing buy-in and sign-off from specific business departments and the board
To maximise security, increase team effectiveness and align with key regulations, unity is the only way forward.
Learn more here.
By Darren Thomson, Chief Technology Officer, EMEA at Symantec