This article is part of our Essential Guide: Information security in 2022 – managing constant change

Is the IT sector beset by fear-mongering?

The arms race between hackers and security teams has led to a plethora of new technologies, but it can be hard to differentiate between sensible cyber purchases and those that are promoted by exaggerating risk

The past five years have been a turbulent time for the IT sector. Just as technology has become more advanced and ubiquitous, so too have the threats facing the industry escalated. Rising to counter these threats are a multitude of security services and technologies, presenting a wealth of options for modern enterprise. This can become overwhelming for the unprepared.

The scale of attacks facing the IT sector has increased greatly in recent years. No longer are organisations solely concerned about lone hackers and insider threats. Instead, a diverse range of threats now face modern enterprise, such as data breaches and ransomware attacks. According to Statista, in 2021 the average downtime spent recovering from a ransomware attack was estimated to be over 20 days. Meanwhile, there are significant financial penalties for organisations that are found to have been negligent in their data protection duties following breaches.

This rise in threats has also been driven by the ease with which attacks can be conducted, such as by using illegal hacking services offered on the dark web. Although there have been some high-profile arrests, these have not been as frequent as the rise in cyber attacks. “Nobody’s getting punished in court,” observes Brad King, chief technology officer at Scality. “You can stop murderers by putting them in jail, but when those people [hackers] do eventually get caught, they’ll be put away and six months later they’ll be back doing the same thing again.”

Following several high-profile attacks, such as the WannaCry ransomware attack on the NHS in 2017, which received significant media coverage, there has been increased awareness of the threats posed by bad actors. People outside the IT sector are much more aware of cyber attacks and are consequently demanding that more is done to protect their data.

Fear-led decision-making

All of this has combined to engender an atmosphere of fear within the IT sector. Limited IT budgets mean that the threat posed by malicious actors is no longer channeled into proactive preparations, but into reactive responses. “The IT industry is reacting to a lot of misinformed noise,” says Alex McDonald, EMEA chair of the Storage Networking Industry Association (SNIA). “What we’re trying to do is make some sense out of what people want: they want security at no cost that is infinitely flexible.”

The focus on reactive responses has been compounded by the technological arms race between security teams and hackers. Hackers launch a new form of attack, against which cyber security teams develop a new defence, thereby causing the hackers to adapt. As a consequence, there are many new technologies on the market, which organisations may feel compelled to acquire for “just-in-case” scenarios.

End-users are therefore at risk of becoming overwhelmed by the number and variety of security products available. This is just as much to do with the marketing of a product, which is driven by suppliers competing against their market rivals in a saturated industry, as it is to do with the range of products available. Therefore, for vendors to stand out in such an environment, there is a temptation for them to over-emphasise their products.

It is therefore necessary for end-users to take a pragmatic approach to their purchasing strategies, considering their threat profile and potential vulnerabilities. “It’s about managing a balance between risk and reward, pivoted around the assets that are important to an organisation,” says Paul Watts, a distinguished analyst with the Information Security Forum (ISF)

Enterprise networks are now far more complicated than they once were. This, in turn, has made securing them more challenging, especially given their greater reach and increased data accessibility. “You’ve got your web servers, data servers, and these things interact,” says Scality’s King. “There is no one system that can just roll up to yesterday morning’s backups.”

Prepare, rather than react

Before any purchases are made, it is necessary to gain a full understanding of the networks that will be supported and the data flow across them all. This analysis will enable easier selection of suitable security technologies to meet the relevant security demands.

Such an analysis should include projected growth of an organisation’s network, because becoming locked into a security service that does not allow for growth could swiftly become a restrictive or limiting factor.

This information can form part of a purchasing plan, enabling organisations to accurately estimate their anticipated purchases. It also reinforces an important notion that security is no longer an IT issue, but a business one. Therefore, this gives greater flexibility to the IT budget, enabling improved strategic and long-term planning.

Another side-effect of fear-mongering is that much of the focus is on the fear of being hacked. Therefore, while many seek to identify and block any potential malicious actors, there is tendency not to consider the potential ramifications of being hacked.  

In many ways, it is almost a given that organisations will be hacked; and the bigger they are, the bigger the target they become. Detecting and blocking hacking is important, but equally, there need to be preparations for what happens when there is an attack and how any lost data and network functionality can be restored in the subsequent recovery phase.

“Everyone can do backups, but can somebody do the restoration?” says King. “It’s all about the recovery.”

Experience, not just education

A robust disaster management plan, formulated with expert elicitation and tested for unforeseen issues, will be invaluable for enabling rapid data recovery. Having the appropriate recovery scenarios in place allows organisations to have advanced preparations for the necessary responses they need to perform as soon as an attack occurs. Good practice can be reinforced by conducting simulated disaster scenarios, such as for a data breach or distributed denial of service (DDoS) attack, thereby allowing IT teams to gain hands-on experience of a network attack and how to respond in worst-case scenarios.

However, preparing an appropriate security strategy document requires an author, or authors, with the appropriate training and experience. “I look for knowledge, experience and reputation,” says the ISF’s Watts. “There are a lot of people in the market who have their credentials. You can swallow the textbook, but applying that knowledge in a business environment is what earns you your stripes.”

Further assistance will be available soon, in the form of an industry standards, accreditation and regulatory body. The UK Cybersecurity Council was formed recently, initially part of the Department for Digital, Culture, Media and Sport (DCMS), before becoming an independent government body. It is intended to develop and promote nationally recognised standards for cyber security in support of the UK government’s National Cyber Security Strategy. For 2021, its stated vision was that “the UK is secure and resilient to cyber threats, prosperous and confident in the digital world”.

Part of the UK Cybersecurity Council’s mandate will be to bring together a raft of professional bodies to form a framework of recognised cyber security accreditations. This will enable employers to identify more easily those with the necessary experience and training to develop a security procurement package for their networks.

However, the UK Cybersecurity Council will be a single regulatory body and some would prefer a different arrangement. “I would prefer multiple bodies representing the industry, rather than the one,” says the SNIA’s McDonald. “The more different viewpoints and people that are involved in it, the more transparent it becomes.”

Lead with knowledge, rather than react with fear

With the ongoing media coverage of recurring data breaches, it can be understood why there is an element of fear-mongering, which can affect end-users. Therefore, investing in cyber security technologies and services without first considering the necessity of purchases can lead to inefficient budgeting. There is also the potential risk of being locked into a restrictive service that could expose vulnerable aspects of a network to attack.

Having a thorough understanding of the current and expected network architecture, as well as the potential threat vectors that it faces, allows a more cognisant approach to security acquisitions, therefore providing a more effective cyber security posture.

It is unfortunate that it is not so much a case of if you will be attacked, but when. Focusing solely on prevention can leave vulnerabilities and lead to excessive downtime and lost data. A shift in methodology to a more holistic approach, considering data recovery in particular, will improve resilience and mitigate against damaging levels of downtime following an attack.

There is much to be concerned about when considering the threat of a cyber attack, but a risk-informed holistic approach to security will enable a robust security stance.

Read more on IT risk management