5 cybersecurity myths debunked

JUST as our lives have increasingly moved from the physical to the online world, threats associated with this medium have correspondingly grown. The number of potential data breaches - and their threats - is evolving rapidly, and many organisations are finding their defences increasingly on the back foot.

The reality is that IT departments find it difficult to be as nimble as the people attacking their systems. According to Lloyd's Risk Index 2013, cyber risk ranks third among 50 risks globally among 588 senior and board-level executives polled.

What is also becoming obvious is that the cost of a data breach far exceeds that of implementing the right security measures in the first place. In a report titled Cost of Data Breach Study: Global Analysis, published by the Ponemon Institute, the cost per breached customer record ranges from US$78 to US$233, depending on the sector involved.

Organisations have mostly focused on preventive measures but this is proving insufficient. Instead, organisations need to start playing to their strengths rather than their fears of what might happen.

When approaching cybersecurity, organisations should consider five of the most common cybersecurity mistakes:

Mistake 1: "We have to achieve 100 per cent security"

Reality: A 100 per cent security coverage is neither feasible nor the appropriate goal

Almost all airlines emphasise flight safety as their highest priority in addressing the inherent risks of flying. Should data safety not similarly be the focus of organisations managing the risks of handling large amounts of data? However, just as flying risks can never be mitigated 100 per cent, neither can protection against cybercrime be foolproof. However, there are choices you can make about your defensive posture.

Perfect security is just as much an illusion as completely eliminating the risks of flying. Just as "business as usual" among airlines involves mitigating the risks by knowing them, greater emphasis must be placed on cybersecurity intelligence with a focus on early detection and preparing robust response measures.

Mistake 2: "When we invest in best-of-class technical tools, we are safe"

Reality: Effective cybersecurity is less dependent on technology than you think.

Having security tools integrated into the organisation's technology architecture is essential as a starting point. However, having tools is no substitute for having a coherent plan. A holistic and robust cybersecurity policy and strategy should, therefore, drive the selection of tools in the toolbox, rather than the analogy of buying the tools, then figuring out the appropriate toolbox. Good security starts with developing a robust cyber defence capability. While generally led by the IT department, the knowledge and awareness among end users is similarly critical. The human factor often remains the weakest link.

Returns from investing in the best tools are limited by the people who understand their responsibilities in keeping their networks safe. For example, social engineering - where hackers manipulate employees to gain access to systems - remains one of the biggest risks organisations face.

Mistake 3: "Our weapons have to be better than those of the hackers"

Reality: The security policy should primarily be determined by your goals, not those of your attackers.

The fight against cybercrime is a race that cannot be won, as defence is often by definition one step behind; a threat has to be first established. While it is important to be aware of the latest techniques, these should not detract from protecting one's most important assets. Organisations need to understand the relative value of their information assets and the implication of their loss on their core business. More importantly, organisations need to consider the value of their assets relative to the perceptions of potential cybercriminals. A business case for cybersecurity can then form the basis for investment and resource allocation.

Mistake 4: "Cybersecurity compliance is all about effective monitoring"

Reality: The ability to learn is just as important as the ability to monitor.

Being capable of understanding external threat trends and using this insight to formulate policy and strategy are both critical to long-term prevention. While it is understandable that cybersecurity measures are often driven by compliance with rules and policies, compliance cannot be the ultimate goal of the cybersecurity policy. Organisations need to understand how threats evolve and how to anticipate them. More cost-effective and focused, this goes beyond cybersecurity monitoring.

Any monitoring needs to be underpinned by intelligence requirements, and is only as effective as knowing what and where to look for risks. Organisational methods to assess and report cybersecurity risks have to be developed, involving protocols for determining risk levels and escalation procedures. Having strategic insight into cyber risks and understanding the impact on your core business is paramount.

Mistake 5: "We need to recruit the best professionals to defend ourselves from cybercrime"

Reality: Cybersecurity is not a department, but an attitude.

Delegating cybersecurity responsibility to one organisational department of specialists is akin to delegating flight safety only to aircraft mechanics. Air crews ignoring safety procedures would be analogous to people in organisations developing an attitude that cybersecurity is "not my problem". This may increase the risk of cybercrime.

Making cybersecurity an organisation-wide approach is never easy. For example, it may involve cybersecurity becoming a part of human resource policy and the approach to developing new IT systems. However, it should never be an afterthought as is often the case, gaining attention only at the end of such projects.

The author is head of IT Assurance and Security, KPMG in Singapore.

The views expressed are his own.