Is the IT Sector Beset by Fear-Mongering?
Paul Watts, Distinguished Analyst for the Information Security Forum (ISF), featured in Computer Weekly.
The past five years have been a turbulent time for the IT sector. Just as technology has become more advanced and ubiquitous, so too have the threats facing the industry escalated. Rising to counter these threats are a multitude of security services and technologies, presenting a wealth of options for modern enterprise. This can become overwhelming for the unprepared.
The scale of attacks facing the IT sector has increased greatly in recent years. No longer are organisations solely concerned about lone hackers and insider threats. Instead, a diverse range of threats now face modern enterprise, such as data breaches and ransomware attacks. According to Statista, in 2021 the average downtime spent recovering from a ransomware attack was estimated to be over 20 days. Meanwhile, there are significant financial penalties for organisations that are found to have been negligent in their data protection duties following breaches.
This rise in threats has also been driven by the ease with which attacks can be conducted, such as by using illegal hacking services offered on the dark web. Although there have been some high-profile arrests, these have not been as frequent as the rise in cyber attacks. “Nobody’s getting punished in court,” observes Brad King, chief technology officer at Scality. “You can stop murderers by putting them in jail, but when those people [hackers] do eventually get caught, they’ll be put away and six months later they’ll be back doing the same thing again.”
Following several high-profile attacks, such as the WannaCry ransomware attack on the NHS in 2017, which received significant media coverage, there has been increased awareness of the threats posed by bad actors. People outside the IT sector are much more aware of cyber attacks and are consequently demanding that more is done to protect their data.
Fear-led decision-making
All of this has combined to engender an atmosphere of fear within the IT sector. Limited IT budgets mean that the threat posed by malicious actors is no longer channeled into proactive preparations, but into reactive responses. “The IT industry is reacting to a lot of misinformed noise,” says Alex McDonald, EMEA chair of the Storage Networking Industry Association (SNIA). “What we’re trying to do is make some sense out of what people want: they want security at no cost that is infinitely flexible.”
The focus on reactive responses has been compounded by the technological arms race between security teams and hackers. Hackers launch a new form of attack, against which cyber security teams develop a new defence, thereby causing the hackers to adapt. As a consequence, there are many new technologies on the market, which organisations may feel compelled to acquire for “just-in-case” scenarios.
End-users are therefore at risk of becoming overwhelmed by the number and variety of security products available. This is just as much to do with the marketing of a product, which is driven by suppliers competing against their market rivals in a saturated industry, as it is to do with the range of products available. Therefore, for vendors to stand out in such an environment, there is a temptation for them to over-emphasise their products.
It is therefore necessary for end-users to take a pragmatic approach to their purchasing strategies, considering their threat profile and potential vulnerabilities. “It’s about managing a balance between risk and reward, pivoted around the assets that are important to an organisation,” says Paul Watts, a distinguished analyst with the Information Security Forum (ISF).
Enterprise networks are now far more complicated than they once were. This, in turn, has made securing them more challenging, especially given their greater reach and increased data accessibility. “You’ve got your web servers, data servers, and these things interact,” says Scality’s King. “There is no one system that can just roll up to yesterday morning’s backups.”
Prepare, rather than react
Before any purchases are made, it is necessary to gain a full understanding of the networks that will be supported and the data flow across them all. This analysis will enable easier selection of suitable security technologies to meet the relevant security demands.
Such an analysis should include projected growth of an organisation’s network, because becoming locked into a security service that does not allow for growth could swiftly become a restrictive or limiting factor.
This information can form part of a purchasing plan, enabling organisations to accurately estimate their anticipated purchases. It also reinforces an important notion that security is no longer an IT issue, but a business one. Therefore, this gives greater flexibility to the IT budget, enabling improved strategic and long-term planning.
Another side-effect of fear-mongering is that much of the focus is on the fear of being hacked. Therefore, while many seek to identify and block any potential malicious actors, there is tendency not to consider the potential ramifications of being hacked.
In many ways, it is almost a given that organisations will be hacked; and the bigger they are, the bigger the target they become. Detecting and blocking hacking is important, but equally, there need to be preparations for what happens when there is an attack and how any lost data and network functionality can be restored in the subsequent recovery phase.
“Everyone can do backups, but can somebody do the restoration?” says King. “It’s all about the recovery.”