Our vision for digital security is to improve people’s lives. We’re aiming to do this by reducing cybercrime, protecting our customers’ digital assets, and by enabling organisations to engage with their customers and citizens in the most frictionless way possible.
To deliver the vision we are focussing on three key levers – collaboration, innovation and “Security by Design”.
If public agencies, private sector security providers, and in-house cyber teams can share security research and threat intelligence, we can maximise security budgets, avoid duplicated effort, and collectively detect and prevent criminal activity much earlier.
A recent report (Ponemon Institute: 2018 Cost of Data Breach Study) found that breaches that took over 100 days to identify, cost organisations nearly 40% more than those identified in under 100 days. And breaches that were contained in under 30 days saved organisations c. £1m per breach, compared to those that took more than 30 days to resolve. There are certainly opportunities for quick wins by working together.
The costs of cybercrime are now so vast, that if we only do what we think is necessary at our individual, business or national level we will fall short of the significant challenge facing us.
In 2014, the cost to the global economy of cyber crime was $400bn. It is now running at $600bn per year – that’s greater than the GDP of 80% of all countries in the world.
In the UK, Cybercrime cost businesses over £30bn last year, yet the UK market spend on cyber services was around £3bn, barely 10% of the cost to the economy of cybercrime.
The threat to UK businesses is growing – A 2017 study by Beaming discovered that UK businesses each experienced an average of over 600 attempts a day to breach their corporate firewalls – 30% more than 2 years earlier.
And according to a 2018 report by Positive Technologies, cyber crime services can be purchased on the dark web at shockingly low rates – $40 for a hacking email; $50 for a Distributed Denial of Service attack; $750 for infecting an organisation with ransomware.
Gartner estimate that spending on security and risk management should be around 4-7% of an organisation’s overall IT budget. Innovation can help this budget go further.
New cyber services are constantly being developed by thousands of security vendors worldwide. By working with resellers and outsource service providers who have their own horizon-scanning and integration capabilities, organisations can discover and test these developments. They include applying capabilities like AI and machine learning to orchestrate and automate security operations; and establishing security roadmaps that maximise security investments.
The same Ponemon study saw organisations that deployed an AI security platform save an average of £130k (5%) against the average cost of a breach. Organisations that fully deployed security automation, including the use of AI and analytics, reduced the average cost of a breach by over £1m. Yet in the UK, only 10% of the surveyed companies had fully deployed such security automation.
We also need to explore technologies like blockchain that have security built in to their core. Sopra Steria has developed a number of Proof of Concepts that use the inherent trust, confidentiality and provenance of distributed ledger technologies to track assets, manage logistics and record transactions in a more efficient manner.
The security industry mantra is to design applications and services with security controls that are baked in, not bolted on – particularly relevant when developing solutions that incorporate third party IoT devices. Examples include testing application vulnerabilities at each stage of the development process; regularly assessing the value of organisation data; and understanding the relationships between that data and accompanying systems and business processes.
Cyber attacks have typically targeted the Confidentiality, Integrity and Availability (CIA) of networks and data. We should now add Privacy and Provenance as security considerations, following the recent Cambridge Analytica/Facebook scandal, new GDPR regulations, and the ability for home hub devices to “accidentally” record private conversations; not to mention the rise in counterfeit goods, video mimicry and “fake news”. CIA should now be CIPPA…
This article was originally published here.