Over the past ten years cyber security has transitioned from a jargon-filled topic considered the preserve of IT departments to one of the key pillars of an increasingly digitised society. For where technology has enhanced plenty of products and services, it has also brought with it new risks. As more and more organisations make the move online, so too do the criminals looking to exploit them. Cloud-based software has catalysed a culture that craves speed and flexibility, but has also created new attack surfaces, that can be made even larger by people’s oversights.
Cyber security can no longer be treated as an afterthought; it is one of the first and most important decisions any modern organisation worth its salt should make. And it is now far from an IT-only issue. Effective cyber security and resilience – that is to say a company’s capacity to cope with a breach – hinges on having a good blend of technical provision and human understanding. The latter extends from the boardroom to even the most junior member of staff.
At the start of the decade, cyber security was regarded as an optional extra. It was better to be safe than sorry was the widely accepted wisdom, but the chances of actually being made sorry were slim. Essentially, security was considered as a more defined set of defensive items – such as anti-virus programs or firewalls – that protected core services and deliverables. Most data breaches before the 2010s were unintentional or accidental. Many were focused around customer access platforms where databases of credentials or accounts were lost.
Over the past decade, it has become almost impossible for businesses to maintain the traditional outer perimeter they had so carefully built up. That security perimeter has moved from static to completely elastic as systems and individuals became more connected than ever. Cybercrime, meanwhile, has become increasingly organised along industrial lines, with groups increasingly using automated tools to speed up their attacks and make them even more targeted. Protection of data (driven by a hugely increased understanding of the monetary value of personal data, and the introduction of regulation such as GDPR) is now seen as absolutely key. This has meant that various layers of protection, alongside active threat monitoring and engagement, have become not just recommended but required.
The decline of physical, on-site IT infrastructure and a shift to cloud-based storage is particularly significant. Companies are looking to consolidate data in ever larger storage areas with major providers, as this allows them to move more quickly and cheaply into new ways of working. The old “self-contained” data centre model has now largely been broken as a result. The resulting need to connect the enterprise and all branch networks, data centres and international offices places increasing pressure on not just network technologies, but also security departments, which have to assess, monitor and protect their company’s data across all those locations.
As important as organisational shifts towards new technology is the rise in and evolution of personal devices. As we all got used to using app stores over the past ten years, we have also come to appreciate the risks around them – from unverified apps that may display harmful content, to app access and permissions that allow the harvesting of personal data. At a business level, security has also had to evolve to manage employees using their own devices to access company systems.
Similarly, businesses have also adapted to the massive use of social media for professional purposes, including the potential to unwillingly share confidential information. Indeed, social networks have evolved over the past decade from a tool that people used to connect with friends and family, through to being the major way that many people interact as profound implications for personal security through to misinformation and the impact of algorithms on our personal lives and nations as a whole.
Moving forward, into the 2020s and beyond, security can no longer be focused on the defence and detection picture. Rather, it must be more attuned to response and enablement. The coronavirus pandemic, which has brought about the world’s largest working from home experiment, has underscored the need for cyber security strategy to be implemented throughout organisations. Everyone has a part to play. As remote working reaches a new level of normality, businesses must consider not only how to keep their connections as secure as possible, but also engage with their staff, and inculcate good cyber hygiene.
In the future, cyber security strategy needs to be responsive and flexible. That means accepting that you can’t always control the devices people use to access information or the public networks they use, but you can control the gateways and the policy. Policy, in turn, drives exactly what you can access and how, and what you can do once you have information on your device. Businesses need to ensure that policy is applied from the centre out to their entire organisation – so that information security isn’t just considered as a traditional network or data centre issue, but applies across all business processes.
Organisations increasingly need to prioritise different security protections for specific elements of their systems, based on each element’s respective risk to the business. And the same is true for individuals and households. We all have to think about the data and assets we couldn’t afford to lose, and ensure that we have the necessary protections and “defence in depth” to protect them.
Kevin Brown is managing director at BT Security.