THE BLOG
06/05/2014 11:49 BST | Updated 05/07/2014 06:59 BST

Is the War of Cybercrime Really Lost?

Dramatic headlines last week from the latest Verizon Data Breach Investigation Report would seem to suggest the battle against cybercrime might be being lost.

Verizon said, having analysed 10 years' worth of data covering 100,000 security incidents, that 92 percent of attacks could be traced back to just nine threats - meaning firms have continued to fall for the same types of scams and attacks all this time repeatedly.

The nine threats include malware attacks, device loss or theft, distributed-denial-of-service (DDoS) attacks, payment card skimming and web app attacks.

The other four attacks are cyber-espionage, point-of-sale intrusions, insider theft and miscellaneous errors, such as sending emails with sensitive data to the wrong person.

Some news reports I have seen have suggested this points to the fact this means the "bad guys are winning" and that firms need to take note and realise no one is immune from a data breach.

However, as we all know if we work in this sector - especially with critical infrastructure business like I do - no one will be surprised by these findings and they are well aware they are under attack daily. But this does not mean the industry is losing in some way to the criminals. Awareness of the threat means most security teams today take a more realistic approach to their security.

Many of the Chief Security Officers (CSO) and their teams I talk with daily recognise they are regularly under attack and what's more they know unfortunately often the compromise is because of someone in the organisation doing something they should not do, like click on a link in an email. The most common threats they face daily are types of threats that no longer make newspaper headlines but these older vulnerabilities still remain out there and present serious challenges to the security teams none-the-less.

For example a CSO for a major banking customer of ours recently told me they still face computers in their network infected with Conficker - despite that being a threat years old. He also suggested that his biggest security risk is the employees themselves doing things they know they should not do and compromising their PCs and therefore the network.

Ultimately it is critical that CSO's and their teams are able to identify and deal with a threat quickly and trace what interaction has taken place in their networks by the compromised machines.

At a recent CISO lunch that I attended, the discussion around the table was two fold. First there was a unanimous acceptance that it is impossible to deliver 100% cyber security, so the risk of breach and compromise has to be accepted. And second, if you identify that an attack is taking place, do you immediately block the attack at the risk of notifying the attacker that you are aware of their presence, or do you let the attack continue so that you can 'learn' how they are doing it and what they are targeting? The answer was that the 'business' wants to block the attack so that the business can continue to function, the security purists wanted to monitor the attack and learn from it so that they can build stronger defences.

The Verizon report suggests that it is still taking longer to identify compromises within an organisation - often weeks or months - while penetrating an organisation can take minutes or hours.

However, there really is no excuse for this increase in the problem as today businesses can utilize advance malware protection that can scope, contain, and remediate identified malware with a few mouse clicks. If more take advantage of these solutions maybe we can hope to see a decline in reporting of breaches in the 2015 report.

Whilst achieving 100% security is a pipe dream, if you approach the 'cyber threat' problem with a holistic approach - before, during and after the attack - you will be in a better position to identify, and deal with the threat quickly and limit the damage done as much as possible.

Ignoring the risk is simply not an option. To bury your head in the sand and refuse to acknowledge the challenge will only invite disaster. Much better to prepare for the inevitable and ensure that when it does happen - you know about it as quickly as possible and take appropriate action to minimize the impact.

So rather than suggesting the war on cybercrime is lost - I would say instead that there is a growing awareness of the risks out there and a growing sense of realism about the nature of the cybersecurity threat landscape. Also today there are better tools available to identify and deal with threats, the Cybersecurity industry is actually in a better place to defeat the cybercriminals that it has ever been in. The onus however is on the adoption of best cyber practice and deployment of advanced malware protection tools.