Security used to be the poor relation of enterprise technology. It was mostly a box-ticking exercise which meant you had to have a firewall, an anti-virus product, a patching programme and not much else.
Real business losses were rare and the public, and regulators, were patient when companies did have problems.
Today we recognise that all these strategies have weaknesses and instead enterprises are moving to a more holistic view of security.
It is not enough to protect the points, like email, or to protect your perimeter by using a firewall.
This reflects the threats businesses face both from the hackers but also from regulators and from the public which no longer accepts the usual excuses.
Companies in the UK are now expected to keep customer data encrypted in order to ensure its security. Even quite small firms have been fined for losing customer data because it was not properly encrypted.
The public is equally impatient when data is lost and is starting to vote with its feet and change providers when they realise security has been compromised. The mobile phone company which most recently lost customer files also lost over 100,000 actual customers in the wake of the scandal.
The other big change in the security landscape is the increasing professionalism of cyber attackers. Today’s attackers want money, not just to create mischief.
The rapid growth in attacks on ATMs is proof of this but the clearest example for business is in the huge growth of ransomware.
Malwarebytes recently asked 500 companies in four countries about cyber security.
In the UK they found 54 per cent of companies had been targeted by a ransomware attack.
Attackers use a variety of techniques to gain access to a business’s network. Once inside they use malware to encrypt parts of the targeted system. They then demand payment, the ransom, in order to provide the keys necessary to decrypt the systems. Payment is usually in bitcoins or other digital currency and is typically not for an enormous amount of money.
The scam appears to be hugely successful, in part because it is often easier and cheaper to pay the ransom than to restore systems from back-ups, assuming they are up to date and easily and quickly available.
Figures from the FBI estimated payments made by US businesses to the crooks behind just one type of ransomware totalled $18m.
They noted that the attacks would have costs businesses much more than this in restoring systems, lost revenue and other associated costs.
So many organisations pay, which in turn funds the next round of attacks.
Recent targets in the UK and US have included hospitals which have been left unable to treat patients because medical staff were unable to access systems.
The bad guys don’t even need technical skills – you can access ransomware via a portal which provides everything you need including the ransom note – you just fill in the amount and find some organisations to attack.
Cyber criminals are investing money in software development and in recruitment just like the security companies are.
Although this year has seen a big increase in ransomware attacks the technology remains relatively immature. The expected next generation are likely to be far more difficult to fight.
In fact many observers now suggest this is a better way to view the threat – as a competitive company which you need to consider when making any decision about the business.
Aside from financially motivated crooks some organisations also face threats from state-sponsored attackers. These range from denial of service attacks on websites to the more disturbing attacks on power generation networks.
A wider issue for many businesses comes from the unintended consequences of government actions which were meant to be benign and to actually improve security.
So restrictions aimed at keeping the bad guys from accessing some sorts of technology can end up driving research underground and making life more difficult for businesses. Attempts to include ‘back-door’ access to encryption tools for instance would put companies in an impossible position as far as promising their customers proper security.
Ongoing arguments over legislation governing data sharing between the US and Europe also create a cloud of uncertainty which makes designing and running cloud-based systems much more difficult.
The end result of all these changes is that cyber security is now at the forefront of business decision making.
The speed with which the bad guys will take advantage of any weakness means security really does have to be in at the ground floor for the creation of any new service.
The other issue which is pushing enterprises towards more holistic solutions is that it is all but impossible to any individual business’s systems any more.
A favourite recent anecdote was an attempted attack at a major bank which should probably remain anonymous. Their systems and procedures spotted the attempt and worked as they should and the attack was repulsed.
However the bad guys did not give up, they tried again but this time looked at indirect routes in.
Eventually they got access to bank systems via an attack on computers at a local gym. Bank staff got free gym membership which led to some connection between human resources and the gym’s IT systems.
The gym was less secure than the bank and this let the bad guys in.
This is the final lesson for modern, fit-for-purpose enterprise security.
In a world of ever more connected supply chains, facing the threat of attackers who can move with ever faster speed, even the best defended organisation will be successfully hacked.
Even ignoring external links the average enterprise now relies on so many different types of hardware, several operating systems and probably thousands of different applications that weak points will exist.
So however good your security is you still need to plan for the worst. Assume you will be successfully attacked and think about what happens next.
You need more than a plan.
You need something like a fire drill – a well-practised routine where people know what to do and when to do it.
The future attacker works as part of a well-funded professional organisation. You have to assume he will get in eventually so you need to be prepared when he does.
Experts talk about the ‘golden hour’ immediately after an attack. Because cyber crooks use automated systems it is possible that you will know your systems are breached before the actual hacker does.
Successfully executing a recovery plan in those precious early minutes can be the difference between an annoyance and a full-blown business disaster.