Thirty years ago, my first encounter with the computer virus looked a little something like this: an infamous Ping-Pong ball bouncing across my screen. At the time, addressing cybersecurity generally meant little more than the physical security of assets.
Fifteen year later, the world of cybersecurity first appeared on my radar when the first service providers hit the market. Back then, talking cybersecurity with the uninitiated wasn’t easy. I would say “firewall,” and people thought I was talking about increasing a website’s availability.
Fast forward to today: I can post an article on a blog open to anyone around the world, and everyone will understand me! Cybersecurity is no longer limited to a class of geeks who swear by two or three specialized journals on the topic. In fact, every day and across every news source, you’re sure to find articles discussing everything from government spying scandals to threats to banks or chemical plants made by some nameless organization that will now become immensely famous to revelations of confidential information stolen from big companies.
cybersecurity and cybercrime: are we losing the war?
(Potential) victims view cybercrime very negatively. What could be more normal when you’re the victim? Just a few days ago, the World Economic Forum revealed that the impact of cyberattacks could cost a trifling $3 trillion by 2020. Personally, I have a hard time understanding numbers that big. So let’s just look at it in terms of the global economy. Losing $3 trillion is roughly equivalent to wiping Germany off the economic map. Utterly unthinkable, you might say! And yet, some have envisioned that kind of consequence.
However, the media failed to mention that the $3-trillion figure came from an estimate that relied on a very specific hypothesis: the public and private sectors would just shrug their shoulders and give up in the face of these threats. And then, another hypothesis surfaced, approaching cyber threats from a much more positive angle: what if they actually boost economic growth? What if they foster innovation and creativity? What if they force us to improve our methods of containing threats? What if we get stronger after taking a hit because we learn from our failures? And of course, this hypothesis led to totally different results. Taken into consideration, the result isn’t $3 trillion in losses but $9 to $20 trillion in economic gains. We’re no longer wiping Germany off the map, now we’re adding a new China or United States!
So let’s learn from our mistakes, capitalize on them and respond positively. This way, everyone will end up a winner (though the security industry will probably be the biggest winner).
learning from your mistakes
First reflex: cybersecurity! This means planning ahead to respond to emergencies with calm and composure. Let’s keep the following things in mind:
- organizations that apply security policies in line with the threats they face know how to respond to security incidents. They are prepared to identify the threat, react accordingly, and implement emergency action plans to keep the threat at bay (as long as they apply the policy)
- technology alone is not enough. You have to analyze events and processes to ensure your response matches the critical importance of the threatened resource
- traditional security is good, but it can only be used to define security barriers and protect against certain threats. You then have to monitor to make sure no one gets past these barriers. To use a more familiar image, this means closing your doors and windows to keep out intruders. Unfortunately, even if these security measures cost an arm and a leg, they’re still vulnerable to attack. So you have to place sensors at strategic points to make sure no one breaks in
- security incidents are great publicity. Even if you have the best security policy and apply it perfectly (which never happens!), cybersecurity is still never 100% safe. Incidents help IT security managers explain why investment is necessary and show how much an incident costs. Without resources, it’s an open bar. Incidents multiply and $3 trillion goes up in smoke by 2020
- lastly, even if security sensors are set up and processes are in place, incidents change the way you detect and react to threats. They’re a reminder that you have to improve detection, processes and organization by analyzing and learning from what didn’t work, and what did work!
conclusion: chin up!
Even though cybersecurity was noted as a failure at the International Forum on Cybersecurity a few weeks ago, it still has a long and bright future ahead of it as long as we realize that technology vendors are no longer the main players in cybersecurity. Instead, it’s the potential targets that now have to organize and protect themselves through:
- business risk analysis
- processes
- organization
- expertise
- technology
- constant questioning
Sébastien
Photo credit: © Syda Productions - Fotolia.com
I’m in marketing and I’m a security product manager at Orange Business since 2009. My goal: popularize security and teach the average Joe about risks and solutions.