Intelligent CISO Issue 9 - Page 37

L Looking back over the last year, some could argue that it’s been an unremarkable year for cybercriminals due to a lack of any mega-attacks, such as the high-profile ransomware attacks of WannaCry and NotPetya in 2017. However, it’s important to note that cybercriminal and nation state hacking groups haven’t disbanded – if they are meeting their aims using covert tactics and existing techniques, why deploy new ones? Instead they have likely been working to develop new techniques, which they can deploy as defences are strengthened. Fail to prepare, prepare to fail Organisations need to be prepared for both similar and more sophisticated attacks in 2019. The overriding priority must be taking measures to make the business secure. Security doctrine for years has advised a layered approach FEATURE the most data breaches and the GDPR mandatory 72-hour breach reporting requirement, it has never been more important to have a clearly defined plan to reduce the likelihood and impact of being breached. If WannaCry or NotPetya had used a more effective means to breach an organisation’s perimeter security, the impact would have been truly catastrophic. Organisations aren’t preparing in vain – in 2017 the number of total breaches and total records exposed each jumped by 24% over 2016 and this number is only on an upward trajectory. There are clear financial implications as well – in 2018 the average data breach fine increased to £146,000. Nik Whitfield, CEO, Panaseer – think of the many layers of onion skin protecting the core. However, by focusing solely on the outside, many companies’ security is more like an egg – hard on the outside, soft and mushy on the inside. If WannaCry or NotPetya had used a more effective means to breach an organisation’s perimeter security, the impact would have been truly catastrophic. The advent of EU GDPR made preparation even more crucial. Given that 2017 smashed world records for www.intelligentciso.com | Issue 09 The issue is compounded by the problem that most companies are not aware that they have been breached for several months, or even years, after the event. This is because there is usually no immediate impact on the company (with the exception of some of the newer breaches, such as ransomware). Cybercriminals frequently hold stolen data for a long time then offer it for sale to other criminals when it becomes valuable. As no company can be 100% secure, there must be clarity on acceptable levels of risk and investment in the fundamentals of the basics of cybersecurity. Knowing, on any day, what assets you’re protecting, how they’re controlled and how they’re 37