The number of attacks on corporate IT security has increased by a staggering 66 per cent since 2009. This is the result of the Global State of Information Security Survey that is carried out annually by consulting firm PwC together with the CIO and CSO trade magazines. Tiding talks with Alexander Moiseev, General Manager Europe at Kaspersky Lab.
Tiding talks with Alexander Moiseev, General Manager Europe at Kaspersky Lab about IT security, data protection and the challenges in the future.
Tiding: Do you think companies report hacker attacks to the competent authorities and make attacks public or is the issue rather kept under the table for fear of customer reaction?
I think companies are nowadays reporting attacks more frequently. I believe the bulk of them understand the huge risk they take by not doing so. In some countries, depending on the size and implications of the breach, reporting is now mandatory. But still, there are organisations out there that I’m sure routinely fail to alert authorities or make information about a breach public. To those organisations, I would strongly recommend that their boards and executives reconsider the implications of failing to have an open and honest dialogue with their stakeholders. When you consider that most organisations live and die by earning the trust and goodwill of their customers, an erosion of that trust can have far worse implications than reporting a breach. For large and very well-known companies in particular, the risk of the breach being made public, despite their best efforts, is typically quite high. To be frank, I can’t see how any business could feasibly get away with it in the long-term. Purely from a security standpoint, the more we know and share information about breaches and hacks, the better we can protect against future attacks. Ultimately, sweeping attacks under the carpet only serves the interests of the cybercriminals, putting other organisations (and customers) at further risk.
What can companies do to effectively protect themselves?
Right now, the best way to protect your company is to make sure it is incredibly tough for any would-be attackers. You achieve this by implementing multi-layer security – endpoint protection, patch management, application control, encryption, mobile security, and of course network protection and a solid perimeter defence (ie, a firewall). On top of this, you need ongoing education of your executives and employees because the vast majority of attacks on companies involve some element of human oversight, error or negligence. And if you are serious about your company’s security, you should make-use of intelligence services and predictive analysis tools to stop problems before they start. The final piece of the puzzle is to hire a good CISO, and importantly, listen to their advice and recommendations. In the end, the goal is to make your organisation a genuinely frustrating target for attackers. You want them to take one look and think … I just don’t have the time, money, knowledge, and patience to get past all of this. You want them to lose interest quickly and it sounds bad to say it, but ultimately, you want them to put you in the “too-hard basket” and look elsewhere.
Are companies even aware which of their data need to be protected and which do not?
The answer is “probably not”. IT research company Gartner estimates that 80-90% of existing data in organisations is non-structured in databases and therefore often less well protected. When you combine this with estimates that the volume of data being collected each day in the world will increase up-to 1000 fold by 2020, it paints a fairly bleak picture. If this scenario is true, companies will need to evaluate which data is confidential and needs protection (most likely a lot lower percentage than is currently the norm) and what is of a less private nature. What’s more, the data being protected will need to be protected to a much higher level than it is today as it will likely be of greater interest to attackers. In short, the stakes will be much higher. If this is how it looks in 5 years’ time, companies will be forced to rethink their data protection strategies. So if they are not currently aware of what needs protection and what doesn’t, they soon will be.
Do IT service providers in Europe know how to defend against hacking attacks?
It’s incredibly hard to answer this as it really depends on the organisation and where their individual priorities lie. There are so many factors – their size, the industry they operate within, the way they use IT. Then it can depend on the people within those organisations and their own approach to security. Companies with executive teams and boards that are more security aware and have more respect for the CISO role will naturally be better equipped to defend against hackers. Unfortunately, too many companies don’t realise the importance of IT security health and hygiene until they’ve become a victim.
What qualifications does an internal IT security person need to have?
I don’t really think I can provide a good answer for this. It can vary depending on the needs of the organisation and the particular role/job description. They certainly need to be forward-thinking, adaptable and know how to operate calmly and rationally under pressure.
Should companies always be looking for internal solutions or rather hire external providers?
I can’t think of too many organisations that would have the resources and/ or expertise to develop their security solutions themselves. Admittedly, some parts of a solution can be engineered internally, but generally companies rely upon external providers to source expert solutions they can rely upon.
What does it cost to build up effective protection?
The cost can vary greatly. It should be kept in mind that there is no 100% effective solution, and no single product can guarantee your organisation’s security. In fact, there is a school of thought now that says that our definition of “winning” in security should be redefined not as blocking all threats, but ensuring data is not ex-filtrated and losses are kept to a minimum.
Are there any estimates of the amounts of loss that companies may incur?
It depends on the attack. For instance, if it’s a simple Distributed Denial of Service (DDoS) attack that causes downtime, but no data leakage, the expense can only really be measured in loss of sales, although I do acknowledge that in some instances there is perhaps a degree of reputational damage (but that’s not really measurable). If, on the other hand, the attackers were able to steal millions of dollars from companies, the costs can be astronomical. In any case, we’ve done some high-level analysis that suggests it can cost anywhere from $50,000 to many millions, with the average cost of a data breach in a large company/enterprise estimated at $1.6m.
Is there even any real protection or will hackers always be one step ahead?
There are protections that are proactive approaches to security, but the nature of the game is that much of the research and resulting measures for prevention are reactively driven. When you think about it, hackers are simply criminals operating online and we will never completely stamp out crime it’s really no different whether the perpetrators are operating online, or prowling the streets. As stated earlier, the trick is to build security to a level that acts as a strong disincentive for criminals. Think of it like this, I can’t guarantee that when I leave my home for a night out, it won’t be burgled … but I still bolt the door, lock the windows, close my curtains, flick the porch light on and activate my home security alarm. I make it hard for the criminals to rob me and I send them a clear message: “It won’t be easy so you’re better off looking elsewhere.”