"Organisations defending themselves from cyber attacks seem to have the odds stacked against them; they need to find and fix all the holes within their systems but the attacker only has to find one."
Jerome Smith, PA cyber security expert
The UK Government ranks cyber security as a Tier 1 priority in its National Security Strategy. The number of reported attacks is increasing rapidly and, for obvious reasons, many organisations choose not to go public when they have suffered an attack. While we can examine these documented attacks for trends, it’s important to realise that the threat of cyber crime is always an individual calculation: the threat to an independent retailer is very different to the threat to a global bank.
Organisations that have enough value, not necessarily financial, to attract targeted attacks are most at risk because, while the attacker’s resources and skills are important, so is motivation. What’s interesting about the attacks against Sony last year was that those flaws were always there, it just took a number of motivated attackers to take a close look at them.
Although the majority of organisations are aware of cybercrime, what can be lacking is understanding and action. When this occurs at board level, the problem can become systemic, which stops information security getting the attention it deserves and has consequences for everyday behaviour that may increase the organisation’s risk.
PA Consulting Group has significant experience working with clients in the public and private sectors to help develop an effective cyber security strategy. PA can help clients in a number of ways, for example, structuring the governance and risk management approach, identifying which assets need the most protection from which risks, and assessing the strength of existing security measures through penetration testing. PA also has training solutions, from security awareness programmes to technical courses, to help build in-house capability.
Organisations defending themselves from cyber attacks seem to have the odds stacked against them; they need to find and fix all the holes within their systems but the attacker only has to find one. To stay one step ahead, organisations should take a comprehensive view of security that encourages defence in depth. By building a culture of security and considering detection as well as prevention, organisations can help to protect themselves against attacks they hadn’t even conceived.
Jerome Smith is a cyber security expert at PA Consulting Group