On 6 October, the Court of Justice of the European Union issued a landmark ruling, declaring the U.S. Safe Harbour provision set up by the European Commission 15 years ago invalid.
The decision has resulted in a great deal of uncertainty regarding the transfer of data from European Union member states to the United States. But one implication of the decision is very clear. It points up a fundamental shift in perspective regarding cyber-security strategy.
For many years, cybersecurity has been regarded as a simple rote application of technologies like anti-virus, firewalls, intrusion detection systems and so on. There was certainly acknowledgement that security required attention to process and people as well. Nonetheless, not only international provisions such as Safe Harbour, but also guidance such as the ISO 27000 family of standards, focused on technology as the centre of cybersecurity.
Meanwhile, attackers have shifted to a focus on users, rather than technology, as the weak link in cybersecurity. RSA recently published joint research performed with ISACA on the current state of cybersecurity (http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf) that sheds very important light on the dangers of social engineering attacks.
The report provides the results of a survey of cybersecurity professionals, conducted in the first quarter of 2015, showing that phishing and other kinds of social engineering attacks targeting users were the most common attacks within enterprises in 2014, with nearly 70 percent of respondents citing phishing as having resulted in exploits in the enterprise, and 50 percent citing other social engineering attacks.
A shifting frontline
These changes in attack strategies and regulatory policies mean that Irish businesses need to build a process-based cyberdefence that pays attention to the changing face of cyberthreats and regulatory issues. This “advanced cyberdefence” combines effective governance and intelligence-driven security solutions.
To start, a company needs to understand the potential for attackers to exploit the vulnerability of its users, the interest of attackers in taking advantage of that potential and the impact that such an attack could have. Indeed, cyberattacks are more a case of when, not if. Having the right defensive tools, and the right organisational protocols in place, can be the difference between a glancing blow and a devastating breach.
Companies need to think beyond traditional cyberdefence tools. For organisations that deal in e-commerce and sensitive data, like customer information, reliance on a standard anti-virus suite is not enough. Using intelligence-driven security software, on the other hand, provides a proactive line of defence against attack.
Think of a traditional anti-virus as a perimeter wall. For determined hackers, this wall can be scaled easily, often before anyone notices. An intelligence-driven security solution, the kind we pioneer at RSA, is more like a patrolling sentinel, actively checking for intrusions and questioning those who seem suspicious.
If I’m a hacker somewhere in South America trying to access a company’s server in Dublin using stolen credentials, an intelligence-driven security solution would analyse my location, my credentials and my computer, in addition to other variables, in order to check my identity. For someone who’s not who they’re pretending to be, passing through this gauntlet of checks is extremely difficult and thus, access to private information is denied. In general, these intelligent solutions can be scaled to fit a company’s specific data protection and security policies, making them agile and flexible.
A company’s cybersecurity cannot depend entirely on technology.
Effective governance and “security hygiene” amongst all staff, not just the IT department, is vital to protect assets. This can be as straightforward as a company-wide training day on the importance of updating software when prompted, creating strong, unique passwords and deleting unsolicited emails with suspicious attachments.
Companies must also put in place a defined structure and hierarchy to deal with security breaches quickly and effectively. This “critical incident response team” must know how to act, who to contact and which assets to secure in a time of crisis.
As the latest Court of Justice ruling shows, it’s difficult to find a safe harbour in the storm of cyberattacks, but there are ways to protect against damage and mitigate risk. An advanced cyberdefence policy combines intelligent technology with sensible, proactive governance, and it’s an essential strategy for Irish companies to safeguard data.
Often, security breaches can be found and fixed in a short space of time, but they can have long-term, sometimes permanent, effects on a business’s reputation and viability.
Robert Griffin is Chief Security Architect at RSA, the Security Division of EMC and is also teaching on the IMI Diploma in Digital Business which will commence Spring 2016. At RSA he is responsible for technical architecture and standards and is particularly active in RSA’s initiatives to address the challenges of new threats and new models for IT. He is a frequent speaker at many professional and industry conferences and has instructed courses within both professional and university settings.