Kathy Gibson reports from London – Organisations are already battling to stay ahead of the IT security game – and millions of new hackers are poised to enter the market as emerging markets become connected.
Andrzej Kawalec, global chief technology officer: enterprise security services at HP Enterprise Security, tells delegates to an HP Enterprise Security event that CISOs (chief information security officers) are under
constant pressure to protect their organisations’ assets, in an environment where they have to be right all the time, but the attacker only needs to get lucky once.
“One of the pressures they face is a need to respond to new markets and new companies entering the connected world,” he says. “There is massive growth coming from the developing nations and potentially millions of new hackers coming from those countries.”
IT security is big business, Kawalec adds, with the biggest part of the business taking place on the side of the attackers.
“It has become a sophisticated economic model in its own right,” he says. “And the criminal marketplace probably outweighs the security market.”
Among the new threats emerging are cyber-cartels, where the convergence of traditional and cyber-crime is taking place; cyber militia, where cyberspace is being used as a national battleground or terrorism target; and cyber altruism, where individuals or groups are drive by their social conscience.
Of concern to CISOs, he says, is the fact that is takes on average 243 days before organisations detect a breach – and 94% if the time they are discovered by third parties. In addition, 84% of breaches are occurring at the application layer – although most protection is not aimed here – and the time take to resolve a breach has grown by 71% since 2010.
“Yes, most organisations have been attacked,” Kawalec says. “Most have not been taken out of business completely, but cyber risk is now a top-level board issue.”
According to HP Security research, 56% of organisations have been the target of a cyber-breach. With the average cost of each breach having increased 41% to $8,6-million, cyber security has become a consideration in market capitalisation.
Kawalec adds that CISOs are still intent on spending their budget on securing infrastructure instead of in management, processes and controls. “However, if you are investing only in what you see, you are heading for a crash. You need to step away from what you know and become more proactive.”
Enterprises will always be on the back foot, he adds, unless they can solve the challenges brought about by legacy technologies, talent shortages, a new style of IT; and a lack of visibility into their systems.
“At the same time, 57% of board members and CISOs disagree that information risk is making their organisations less agile,” says Kawalec. “We need to change this.”
One of the major challenges is that the biggest risk – at 56% – is within the organisation itself.
“The real risks remain internal: data leakage, employee carelessness and staff turnover. We can’t just rely on machine intelligence, but need to understand how people operate.”
The HP Enterprise Security operation addresses security in three ways, Kawalec says: providing technology to disrupt the adversary; managed security services to help organisations manage risk; and security consulting so that organisations can extend their capabilities.
“There is a global epidemic, but we are fortunate to have a huge number of security professionals on board – there are 5 000 of us globally – as well as operation centres around the world in both developing and mature markets. We think we’ve got one of the premier research and development teams in the business,” Kawalec comments.