The Criminal Equation!
When considering the question of “How can businesses maintain security?” I did what everyone does and searched on Google. I found an interesting article by one of our partners, Carbon Black, talking about the criminal equation. Why do criminals carry out crimes? In reality it’s a simple cost benefit equation.
For those without a degree in mathematics, let me explain:
- Mb + Pb – what do I stand to gain from committing the crime… monetary or psychological benefits?
- Ocm + Ocp – what do I stand to lose if I get caught? My freedom, and how much time do I have to invest?
- Pa Pc – what are the chances that I will get caught and convicted?
We all know there is little or no chance of a conviction when dealing with cyber-crime. If there is a slim chance of getting caught, what discourages cyber-criminals from hacking your network?
Nothing, and this completely changes the results of the equation in today’s digital world.
The only reason a network hasn’t been compromised is that it hasn’t been worth the cyber-criminal’s time.
As sobering as the equation is, it makes one thing clear. We simply need to make this cost benefits equation equal out! We don’t need to make it impossible to break into, we only need to make the cost of breaking in greater than the value of our data.
So we start by understanding our data; not only the value of it, but also where it is and who has access to it.
Once we understand that, we can formulate a plan. Unfortunately there’s no magic fairy dust, and no one product that can make all your information security problems disappear. You need a layered approach and it’s not just IT’s responsibility, it needs a complete buy-in from the business, the Board and users, to make it work.
This approach has always been the best advice and remains true of information security today.
We work on four pillars of security:
Firstly, Testing. Before you do anything you need to understand your starting position. To do this it’s best to employ an independent third party security company. We use the same tools as hackers to identify critical weaknesses in customers’ defences. These services normally include Penetration or Vulnerability Testing, or Security Gap Analysis. This creates the baseline for your infrastructure and it allows you to quickly remediate and close any gaps.
Secondly, Detect and Respond. Nearly every company I know has already deployed security products whether that’s a firewall at the perimeter of the network, or anti-virus on the users’ machines. Relying on these products alone is not enough to protect you as cyber-criminals can easily circumvent these solutions, neither is adding more products. What is important, is that these products are monitored and alerts or indicators of compromise are investigated before they are allowed to take hold and spread through the network. However, the majority of companies simply haven't got the resources or the time and responsibility falls to the IT Manager. Even the best IT Managers don’t have time in between their heavy workloads to investigate the millions of logs generated by the firewall. Outsourcing your security to experts is usually the best and most cost effective solution.
The third pillar concentrates on the human layer – Staff Awareness. Most modern day attacks start with some user interaction and are successful because someone clicked on a link, installed some software, opened a suspicious email or visited a malicious website. Users can, and should, be trained in the basics of information security to enable them to identify suspicious emails, set strong passwords and handle sensitive data appropriately.
Finally, Certification. It's becoming increasingly important to meet the standards set out by the Government in the Cyber Essentials scheme. This is a great starting place to test your security, not only ensuring you have the basics right but also demonstrating to your customers and business partners that you take data security seriously. To further enhance your security you can look at other schemes such as Cyber Essentials Plus, IASME Gold and ISO 27001.
In the ever-changing world of cyber security, maintaining security can be challenging but getting the basics right will go a long way to protecting you and your business. For more information or to take a positive step towards protecting your business from cyber-crime, contact CyberGuard Technologies’ security experts on 01299 873 805 or email [email protected].