How Much Security Is Enough?

Cybersecurity has become a significant and increasing cost of doing business, but by striving for a “best fit” solution, it can be a business enabler.

By Mark Vos, Chief Information Security Officer, Iress

As a security and risk professional, I am often asked: “how much security is enough?” It seems a simple enough question, but it manages to trip up so many people.  So what is the right answer? Is there a nice sound bite that one can give? Well, not really.

In a dynamic environment of increasing security threats, firms have a big challenge on their hands to ensure they continue to:

• Get their security governance structure right and clearly articulate roles and responsibilities
• Obtain executive level buy-in and sponsorship
• Base security investments on risk
• Use security as a business enabler, not just a cost
• Establish a security awareness programme
• Continue to assess and adjust their security capabilities to changes in the environment

It is certainly complicated. Barely a day passes without a press report relating to a security issue, and all financial services organisations now face greater security threats to their people, assets and operations from such diverse sources as:

• Terrorism
• Fraud and financial crime (both internal and external)
• Organised crime, including money laundering
• Information security threats from hackers and computer viruses

The level of complexity involved in managing such a diversity of threats means that cybersecurity has become a significant and increasing cost of doing business. The challenge is to develop a holistic approach to security management that responds to each of these demands in a coordinated, cost effective, and efficient way.

Where are firms focusing their InfoSec investment?
Our larger clients are spending millions in transforming their security functions and improving their security management practices across a range of areas, including:

• Risk management
• Information security
• Fraud and investigations
• Forensics
• Anti-money laundering
• Physical security
• Business continuity
• Crisis management.

For many, this investment represents a significant shift away from the manner in which they have traditionally managed security. It is also placing huge demands on their security teams to develop new management skills, and places demand on their partners and service providers.

The best fit model
It is becoming more common for organisations to strive for a “best fit” solution as opposed to obtaining “best practice” in every security matter. It’s about being commercial and pragmatic in the way security is managed. Conforming to best practice is an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the expenditure required to get there. A best fit model is about understanding what the risks are, and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying the best practice processes regardless of the associated risk.

So how much security is enough? A good place to start is to identify the top risks your business is likely to face and find commercially pragmatic solutions that remediate those risks. And that’s exactly what firms must be focused on doing right now Global-scale cyberattacks such as the Wannacry ransomware attack and, more recently, the huge malware attack that brought chaos to the Ukraine before spreading internationally, can inflict real damage on an organisation, both in its ability to function and its reputation.

They are also a big reminder of the risks we all face - but let’s keep things in perspective. The reality is, you’re far more likely to suffer an internal security breach than from an external threat. According to a recent PWC report, half of the worst cybersecurity incidents were due to inadvertent human error.

When it comes to information security, people and process are critical. You can have the best patch management practices in the world, but if your employees aren’t being vigilant, you’re wide open to many different types of attack. The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness.

What are you up against?
However good your defences, you need to work on the assumption that malware will get through from time-to-time. At that point it will be your diligence and awareness that makes the difference. So what sort of nasties are you up against?

• Bots and Zombies
• Ransomware
• Rootkits
• Spyware
• Trojan horse
• Virus

What these do is exploit vulnerabilities – either those of a system or an individual. Every 40 seconds, a company is hit with ransomware (in the first quarter, 2016 it was every two minutes).

By far the most common delivery vehicles for ransomware are attachments sent directly to your users in increasingly believable emails from seemingly trustworthy sources. A review by IBM Security found that the number of ransomware-infected emails sent this year has already increased 6,000% compared with 2016.

Cyber criminals are looking for an easy target and it’s your employees they are more likely to target, rather than your software. Humans have now moved ahead of machines as the top target for cyber criminals.

Awareness and breaking bad habits remain the biggest challenges when it comes to fighting phishing. A 2016 study on IT security infrastructure by the Friedrich-Alexander University, reported that 78% of respondents knew about the risk of unknown links in emails, yet they click anyway! So what can you do?

Don’t leave InfoSec to the IT department
Ten years ago, the job title “Information Security Analyst” didn’t exist. Today, there is a genuine worldwide shortage of qualified and experienced InfoSec specialists. They are in high demand, and with good reason. As the cyber threat grows and evolves, so must your cyber defence resources.

Three years ago, we set up a dedicated global information security team tasked with protecting our environment and those of our clients’. We recruited specialist subject matter experts who could educate others and keep up with ever-evolving cyber threats and techniques. The team was integrated into the business, not set apart as a traffic cop.

It’s their responsibility to perform and communicate information security within the business and make it everyone else’s responsibility too. It quickly became obvious that if we were going to do this successfully, we needed to take a client centric approach to everything we did. That meant:

• Defining metrics of the effectiveness of information security and providing that to the board to get their buy-in on commensurate information security investment
• Having a team that could influence colleagues and internal stakeholders
• Communicating information security in a clear and effective manner
• Focusing on the company culture, driving the importance of protecting client data, and other sensitive data

Make your people your first line of defence
Cyber security is an ongoing battle.  Make your people your first line of defence by developing information security awareness and vigilance among your employees so that everyone has the right level of knowledge about security and feels responsible for it.

A check-box training exercise is no longer enough. There must be a continued and concerted effort to bring about a real change in culture and behaviour.

It is a big ask for InfoSec teams. Employees are more tech savvy than ever before, often finding it easier to use their own familiar devices, apps and programmes than your authorised solutions. So-called “shadow IT” and BYOD pose new risks and challenges for IT and InfoSec teams who must not only adapt to accommodate these new ways of working, acknowledging where there is a real business need for greater flexibility and ease of use, but at the same time protect the business.

Be prepared to try different approaches to help the InfoSec message stick. 70% of millennials admit to bringing in outside devices into the work environment, against IT policies. 60% say they aren’t concerned about corporate security when they use personal apps instead of corporate apps.

You have a challenge on your hands to find ever-more creative and impactful ways to communicate security messages to all of your internal stakeholders. You’ll need a range of tactics up your sleeve:

• Regular internal communications – using all channels
• Multi-media communications, such as videos, blogs
• Promote and reward positive behaviour where people demonstrate “doing the right thing” in relation to information security
• Put into every staff member’s business plans a measure and KPI in relation to information security
• Have your CEO discuss the importance of information security to the company on a regular basis
• Educate and build awareness in fun and engaging ways, such as gamification

Layer your defences
Our InfoSec team has more than quadrupled in size over the past 2 years, and now has 12 people dedicated to Information Security which is a reflection of the growing importance we place on cybersecurity and also a direct response to the growing threat level the financial services industry faces. In that time, we achieved the ISO/IEC 27001 security certification, the internationally-recognised best practice framework for managing information security. It should also be noted that our first line of defence is our people, more than 1850 of them, not just the 12 that sit in the dedicated information security team.

Ultimately, the only thing protecting your business from becoming a cybercrime victim is your people, so layer your technology defences with a powerful human shield. Remain vigilant and continue to strengthen and evolve your security practices. As Einstein said, “We can’t solve problems by using the same kind of thinking we used when we created them.”

We’d love to hear your feedback on this article. Please click here