News / Security /

Why enterprise IT must adopt a ‘when, not if’ approach to cyber-security

Top targets this year include wearables and IoT devices that further blur the frayed line separating personal data and corporate networks, as well as new retail IoT beacons and mobile payment systems, says a new report.

Share this article:

You know the battle against cyber-hackers has escalated to an all-out war when Raytheon ventures into the fray.

Raytheon is still better known within the realm of warfare than software. (That’s their wording, not mine; they list “electronic warfare” under the “what we do” section of their website.)

Raytheon has been around since 1922. Its radar systems helped the Allies win World War II. Its microwave tubes transmitted Neil Armstrong’s famous “one small step for a man” line back to Earth when he set foot on the moon in 1969.

Today, Raytheon is one of the biggest defence contractors on this planet. These are the people who make the Patriot missile. Now they’re wading onto the cyber battlefront: In 2015 the company paid more than US$1.5 billion to acquire IT security firm Websense.

“We made a decision back in September 2013 to get into the commercial cyber business,” Raytheon CEO Thomas Kennedy told Defense News last May, adding that the Websense deal furthers Raytheon’s goal of “providing defence trade cyber-security to the commercial marketplace.”

The new division, dubbed Raytheon/Websense, recently released its cyber-security predictions for 2016. The report lists some of the top IT targets to watch for this year, including:

  • wearables and other Internet of Things (IoT) devices that further blur the frayed line separating personal data and corporate networks
  • new retail IoT beacons and mobile payment systems that are becoming increasingly popular
  • aging Internet infrastructure riddled with security holes
  • newly introduced general top level domains (gTLDs) like .car or .wine that will expand the target base for social engineering and other hack attacks

The report also puts forth one main argument, and it echoes back to Raytheon’s military roots: the best defence is one that assumes an attack is inevitable.

Nations train soldiers and maintain a defence plan even in times of relative peace, right? IT managers, according to Raytheon/Websense, have to adopt the same “not if, but when” type of mindset toward cyber breaches.

“An assumption that ‘we are already compromised’ is beginning to pervade security professionals,” the study concludes. “Companies with an eye on the bottom line will begin to no longer strive for ‘perfect protection.’”

Carl Leonard has no military background that I know of, but he has spent more than one-and-a-half decades in the cyber-security trenches. As principal security analyst at Raytheon/Websense, he explained to me during a phone interview what this new mindset looks like.

“It’s not possible to protect against every attack,” he said. “It’s best to be breach-ready so you’re able to identify what has just happened and put in place processes that will stop that from being a problem in the future.”

As Leonard described it, this includes “understanding where your data is, identifying how to protect that in your environment (and) realizing your environment is not just restricted to your own physical network but extends out to the cloud.”

So that means continually assessing threats to your data, encrypting your data so that (in Leonard’s words) “should it be leaked, it’s of no use to anybody,” and mitigating any damage when — not if — an incident takes place.

Based on Deloitte’s 2015 Cybersecurity Survey released in December, Canadian organizations really need to make this mental shift. It found only one in 10 have a “high level of preparedness” for cyber threats, less than half perform “periodic” assessments of threats and vulnerabilities, and just 22 per cent would be able to “rapidly recover” if hit by an attack.

Adopting this new mindset isn’t about giving up the good fight. It’s about taking a more realistic view of the fight and accepting that your walls won’t always be bulletproof. It could be one small step for an IT manager and one giant leap for enterprise security.

Image courtesy of Free Digital Photos

Share this article:
Comments are closed.