The increasing nature of politically motivated computer crime is the subject of a recent article discussing how companies focus on profit motivated cyber crime while ignoring other threats. The author states that because of "fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with [profit based] cyber-crime."
"While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests."
The article blames much of this on security vendors hyping specific threats that their products are designed to protect against. I agree: I see it every day when advising my clients.
The author then prescribes three actions companies should take. These are summarized as:
- "...put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use";
- "...implement the best people-processes you can"; and,
- prepare to be "hacked".
Unfortunately, these recommendations just repeat the very error the article points out: Blindly implementing security controls without understand the nature of the threats the organization faces.
There are many cyber threats with a multitude of motives and one of the key contributors to the increased effectiveness of all types of cyber-crime is the myopic focus on technology while not understanding threats and risks. This leads to some threats not being mitigated while others are over-protected thereby wasting valuable budget and resources (see
IT security professionals must evolve for changing market for further discussion).
Companies need to start with a thorough assessment of threats and risks.
Then, they can design the organization, skills, policies and processes to best mitigate those risks. Only
after these steps are completed should they begin to choose and implement (technical) controls that help automate and manage the mitigation and monitoring processes. Anything else is just a waste of money.
Managing threats and risks should drive the selection and use of controls - not the other way around.
The author is correct that too many organizations are not prepared for cyber attacks and assume (incorrectly) that if they have a firewall and some log management or other tools in place they don't need to worry. No security control or process is perfect even if resources and budgets weren't an issue. Companies need to have a robust incident response capability and one that isn't developed when a crisis occurs.
Focus on Cyber-Crime Misses Real Threat