Forbes published an article recently called Cyber security is dead – What now? and it’s such a good read that we’re highlighting it here in our own blog stream.
In summary it suggests the war against cyber crime has already been lost.
Yes, contrary to popular belief that the world is busy fighting the war against cyber crime, Forbes says the war is over, and that cyber crime has won.
The evidence lies in the fact that “widespread, successful cyber attacks are disrupting critical infrastructure, supply chains, basic systems of food production, transportation, banking, energy and health care delivery”.
Forbes says that cyber crime is now a global industry and that cyber security as we know it is failing. We can see it in the way cyber criminals are managing to target all sizes of businesses, all manner of services, even governments, schools and NGOs.
It also says that in the 20 years between the late 1990s and the late 2010s, the cybersecurity industry, politicians, public policymakers, and organisational leaders have embraced growth over resilience, compliance over security and technology over people. What we did wrong was to:
• focus on externalities – such as threats, attackers, zero-day attacks – instead of internal, controllable things such as data protection, access controls and ID management.
• work to comply with cyber security regulations instead of securing our vital most-at-risk organisational assets such as our data.
• secure everything in the same way instead of differentiating and prioritising our assets and risks.
• allow cyber security vendors to dictate our priorities.
Forbes reminds us that “it only takes one click from one user on one bad email link to compromise many organisations’ digital assets.”
It also quotes the well-used, but controversial, cyber security saying that defenders have to be right 100% of the time while attackers only have to be right once.
We need to stop
• pretending cyber security is all we need
• obsessing over attackers and attacks
• buying technology for our cyber security needs
We need to start
• mapping our data: this is a task most businesses are anyway having to do on their data privacy compliance journey.
• assessing and developing our data resilience: by combining backup and cyber security and focusing on business continuity we can keep cyber security at the core.
• taking the warnings about improving cyber education to heart: we just must spend more time raising awareness amongst our colleagues, friends, and family.
The article concludes with these encouraging words: “We must stop looking for easy answers. Until we reshape our priorities and admit the cybersecurity war is lost we will never move past the current crisis and begin rebuilding. Wars are fought and sometimes lost, but that doesn’t mean it’s the end. It means there’s an opportunity for a new beginning.”