At home, I have invested in good quality locks on my doors and windows, conforming to the standard required by my insurance company. In addition to that I have also invested in an intruder alarm.
This is part of my defence in depth strategy. In principle an intruder should be prevented from accessing my home by the good quality locks, so I don’t need an alarm. But there are failure modes:
- The intruder may break the window, bypassing the lock;
- The lock may be faulty;
- The may be ‘operator error’ and the lock not closed properly.
So my protection mechanisms might fail.
So I have a detection mechanism – the intruder alarm – which should activate if the locks fail or are bypassed. (A friend in the police once told me, a barking dog was just as effective – in 10 years’ service he had never attended a house burglary where there was a dog that barked in the house.)
Once activated, the alarm will hopefully trigger a response, such as a neighbour checking to see if everything is OK.
So why do we do think differently in cyber security?
For some reason, many organisations seem to focus efforts on the protection mechanisms: firewalls, patching and access controls. (Anti-Virus straddles both categories, as it typically both protects and detects.)
Whereas protective monitoring (the intruder alarm) seems to fall second behind as an afterthought. Some of this is presumably because IDS/IPS systems have had questionable effectiveness.
However, I wonder if this focus is now about to change? The article Cybersecurity: Five Essential “Truths” in the Wall Street Journal is the first time I have seen explicit figures that suggest:
Your walls are probably high enough. Companies continue to invest heavily in the protection side of cyber security—more firewalls, more intrusion-detection systems. But most wall buildings may be about as high as they need to be. Given that hackers have likely already infiltrated, companies should focus more on the detection side to increase their vigilance against attacks and on recovery after the fact. The formula is different for every company, of course, but of the typical IT cyber risk spend, 30% might be allocated to wall building, 50% to detection and another 20% to resilience preparation.
That’s 70% spend on resilience and monitoring, and only 30% on protection! From my experience few companies have a balance anywhere close to that.
As well as these figures, there have been lots of reports recently about the cost of recovering from cyber attack. According to the report Hackers put a bull’s-eye on small business 60 percent of small businesses go out of business within six months after a cyber attack. Whereas, large companies are able to put a figure on the cost of recovery, but rarely fail as a direct result.
I speculate that one of the reasons behind this is that unless SMEs take cyber security seriously, SMEs do not have the resilience plans in place to recover. This is NOT an argument to avoid doing business with SMEs, but rather an argument to suggest you need to look for well-run SMEs that take it seriously, and subscribe to schemes like Cyber Essentials and ISO 27001.