Five stages in an organisations cybersecurity maturity
Some of the most recognisable names in the world of finance have found themselves the unwitting victims of determined cyber attackers. The financial services industry is wising up to the threat of cybercrime making security a priority by placing it firmly on the boardroom agenda. But while banks and insurance companies boost their defenses to ward off attacks, cyber criminals show no sign of slowing down.
They are constantly changing tactics and relentlessly trying to outsmart their targets by staging ever more sophisticated attacks.
According to joint research by BT and KPMG, criminal entrepreneurship is on the rise. Cyber attackers are no longer the stereotypical hacker in the basement, but full-fledged organisations with advanced tools and technology. An example of this is the creation of malicious ready-to-use-services, or crime-in-a-box, sold to the highest bidder.
Anyone with malicious intent, but without the intellectual capital or technology and experience can easily purchase ready-made cyberattack packages. Often referred to as Crime-as-a-Service, it lowers the barriers of entry into cybercrime, opening the door to those who were previously incapable of launching these types of attacks. The threat that this assembly-line cybercrime with a price tag poses to financial services organisations cannot be underestimated.
A typical crime-in-a-box toolkit includes malicious software, supporting infrastructure, stolen personal and financial data and the means to monetise criminal gains. With this toolkit available to purchase or hire as a service, it is relatively easy for cybercrime amateurs to launch cyberattacks on a scale disproportionate to their real size. They can gather resources quickly and easily – and as soon as authorities discover and take down cybercrime services available online, they can pop up elsewhere.
In the wake of recent high profile global cyber-attacks, people are well aware of the evolving cybercrime landscape. It has become crucial to think about cyber security differently and understand digital risk. The joint report by BT and KPMG, The cyber security journey – from denial to opportunity, defines the five stages businesses go through in managing their security risks.
Despite the hype and media coverage of large scale attacks, the reality is that all firms face low-level cyber-attacks every day. The majority of these are unsophisticated, but depressingly effective nevertheless. It is important to know and understand that cybercrime has no boundaries. No region, industry or organisation is bulletproof.
Once the significance of good cyber security has finally sunk in and you fully appreciate the potential damage of an attack, the next step in your journey begins: worry. Boards start to fret about how best to protect themselves. How much should they spend? And on what? Some see technology as a cure-all, while others see the answer in policies, governance and standards. But technology alone will only win battles. It will not win the war. We must combine technology, people and processes to stand a chance.
# False confidence
The next step in the journey is for organisations to move beyond worry to a certain level of confidence in their security defenses. After all, they have invested in the software, people and processes. However more sophisticated attacks do take place when criminals stop hitting companies indiscriminately, and begin to target specific individuals or insiders steal data and defraud employers.
# Hard lessons
Even the best prepared organisations often learn hard lessons after a major cyber-attack. Suddenly, the media spotlight turns on senior executives, and it is tempting to play the blame game, trying to find the guilty party, which can cost jobs.
# True leadership
True leaders think differently about security. They see cyber security as an opportunity – a business unit, not a cost center. They help implement new services, tracking and monitoring their security, continuously adapting their defenses to deal with the changing threat. They develop metrics of security which resonate with the business, and give senior leaders appropriate confidence in the organisation’s security stance.
From protecting private information to preventing a market meltdown, the finance sector has to do more to keep hackers and cyber terrorists from causing irreparable damage to the global economy. Crime-as-a-Service is going to spread and at a time when the financial industry is becoming far more complex, the financial industry as a whole must play a part in ensuring that it continues to enjoy the trust of its customers. Institutions must work together by sharing information and intelligence on new threats, and in doing so, limit the pernicious effects of cybercrime.
BT and KPMG research indicates organisations have no choice but to progress through the maturity pains of adapting to cybersecurity demands, according to Lushen Padayachi at BT.