The RSA Conference last February brought together 40,000 of the brightest minds in cybersecurity, along with their products, promises and predictions. But as RSA's Amit Yoran repeatedly pointed out, “There are no silver bullets in security.” We can't apply pricey “next-gen” solutions and think that keeps us safe from further attack. The intruders are already inside, and the damage they'll cause is not a matter of “if” but “when.”
Nowhere has this been more apparent than in the technology industry. Despite record-breaking cybersecurity spending, we're still playing a defensive game of catch-up. It's time for technology companies to go on the offensive. It's hunting season.
Networks are now borderless — perimeter-based defenses alone will be as effective as line infantry against guerilla fighters lurking in the forest. Cloud, mobile and constantly emerging technology disruptions of all kinds make corporate networks more vulnerable than ever before. Connected, virtualized everything creates new opportunities for exploitations, brand new schemes of unprecedented complexity and multiplying motives.
Our best defense is the ability to detect early and respond rapidly.
The threats are layered, entwined and multi-vectored, so our security measures have to be multifaceted. To protect our organizations from all the right angles, we need to understand our cyber economic business risk — which of the threats, motives and malicious actors will put our organization and assets in their crosshairs. Have we done a clear assessment of all the ways they can infiltrate and what they are most likely to do or steal once they are in? In assessing risk, we have to look way beyond our infrastructure: to data assets, intellectual property (IP) of all types, geopolitical influences, critical strategies and initiatives, and, perhaps most importantly, business relationships, from vendors to supply chain partners to M&A targets.
Our best defense is the ability to detect early and respond rapidly. Automation, artificial intelligence and machine learning should ease the burden of monitoring and remediation, but they are no match for advanced persistent threats (APTs). In this environment, technology organizations need to build a “hunting culture” that enables creative, curious problem-solvers to track down opponents, malicious code and potential threats from competitors, state-sponsored spies and organized crime rings. Actively hunting for APTs and indicators of compromise (IOC) will provide a much more precise profile of how and why an enterprise is being targeted. These forensic investigations should be done proactively, and as a central component of any M&A transaction, to track threats throughout the extended business network and to gain crucial insight into how stolen data or IP could be leveraged in the future.
Data and IP are currency, both to legitimate organizations and to criminal ones. Like money, data can be used as leverage in myriad ways. Competitors might want to lurk on your M&A activity to get insight into pipelines and negotiation strategies. Hacktivists might be after your board books. State-sponsored terrorists might collect employee data to enable social engineering techniques that will allow them access to inject malicious code into products or networks, wreaking havoc throughout critical infrastructure or across a client base.
The human intelligence factor in cyber defense cannot be underestimated. Meaningful, corporate-wide education about cyber hygiene (e.g., strong passwords, multifactor authentication, encryption and phishing schemes) is increasingly essential. Close, constant monitoring of user access, identity management and authentication protocols is also being emphasized in security recommendations. Knowing exactly who is allowed to do what with which data assets makes it easier to detect intruders and stop leaks.
Woven together, these offensive and defensive cybersecurity measures give technology companies a fighting chance against adversaries. Visibility across our networks, supply chains and beyond is paramount. A comprehensive view of our cyber economic business risk is the key to setting priorities and strategies, spending wisely on cybersecurity technology and hunting down the bad guys before they can get our gold.
Jeff Liu is global sector head, technology – transaction advisory services, EY. He is a principal of Ernst & Young and a senior managing director at Ernst & Young Capital Advisors, a broker-dealer affiliate of Ernst & Young that provides investment banking services. The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.