EDITOR’S COMMENT
Five stages in an organisation’s
cybersecurity maturity
BT and KPMG research indicates organisations have no
choice but to progress through the maturity pains of
adapting to cybersecurity demands, according to Lushen
Padayachi at BT.
Lushen Padayachi is Head of Security at BT
S
ome of the most recognisable names
in the world of finance have found
themselves the unwitting victims of
determined cyber attackers. The financial
services industry is wising up to the threat
of cyber crime making security a priority
by placing it firmly on the boardroom
agenda. But while banks and insurance
companies boost their defenses to ward
off attacks, cyber criminals show no sign
of slowing down.
According to joint research by BT and
KPMG, criminal entrepreneurship is on
the rise. Cyber attackers are no longer the
stereotypical hacker in the basement, but
full-fledged organisations with advanced
tools and technology. An example of this
is the creation of malicious ready-to-use-
services, or crime-in-a-box, sold to the
highest bidder.
Anyone with malicious intent, but
without the intellectual capital or
technology and experience can easily
purchase ready-made cyber attack
packages. Often referred to as Crime-as-
a-Service, it lowers the barriers of entry
into cyber crime, opening the door to
those who were previously incapable of
launching these types of attacks.
A typical crime-in-a-box toolkit
includes malicious software, supporting
12
infrastructure, stolen personal and
financial data and the means to monetise
criminal gains. With this toolkit available
to purchase or hire as a service, it is
relatively easy for cyber crime amateurs
to launch cyber attacks on a scale
disproportionate to their real size. They
can gather resources quickly and easily,
and as soon as authorities discover and
take down cyber crime services available
online, they can pop up elsewhere.
In the wake of recent high profile
global cyber attacks, people are well
aware of the evolving cyber crime
landscape. It has become crucial to
think about cybersecurity differently and
understand digital risk.
The joint report by BT and KPMG:
The cyber security journey – from denial
to opportunity, defines the five stages
businesses go through in managing their
security risks.
Denial: Despite the hype and media
coverage of large scale attacks, the reality
is that all firms face low-level cyber
attacks every day. The majority of these
are unsophisticated, but depressingly
effective nevertheless. It is important to
know and understand that cyber crime
has no boundaries. No region, industry
or organisation is bulletproof.
Worry: Once the significance of
good cybersecurity has finally sunk in
and you fully appreciate the potential
damage of an attack, the next step in
your journey begins: worry. Boards
start to fret about how best to protect
themselves. How much should they
spend? And on what? Some see
technology as a cure-all, while others
see the answer in policies, governance
and standards. But technology alone
will only win battles. It will not win the
war. We must combine technology,
people and processes to stand a chance.
False confidence: The next step
in the journey is for organisations
to move beyond worry to a certain
level of confidence in their security
defences. After all, they have invested
in the software, people and processes.
However, more sophisticated attacks do
take place when criminals stop hitting
companies indiscriminately, and begin
to target specific individuals or insiders
steal data and defraud employers.
Hard lessons: Even the best
prepared organisations often learn
hard lessons after a major cyber attack.
Suddenly, the media spotlight turns on
senior executives and it is tempting to
play the blame game, trying to find the
guilty party, which can cost jobs.
True leadership: True leaders
think differently about security. They
see cybersecurity as an opportunity;
a business unit, not a cost centre.
They help implement new services,
tracking and monitoring their security,
continuously adapting their defences
to deal with the changing threat. They
develop metrics of security which
resonate with the business, and give
senior leaders appropriate confidence
in the organisation’s security stance.
From protecting private information to
preventing a market meltdown, the finance
sector has to do more to keep hackers and
cyber terrorists from causing irreparable
damage to the global economy.
Issue 11
INTELLIGENT TECH CHANNELS