Cybersecurity Should Be More Than a Tick Box Exercise, as Regulations Are on the Rise
WWT Chief Technology Advisor Dave Locke explains how the growing sophistication of cyber-attacks requires a more robust approach to cybersecurity in an article published in IT Financial magazine.
Published by Financial IT in the December 2018 issue:
The UK has been hit by more than 1,000 serious cyber-attacks over the past two years[1]. According to the 2018 Thales Data Threat Report, 69% of UK organisations report an overall increase in their IT security spending[2].
Governments and regulators have updated regulations and reporting frameworks in response to the evolving threats to make sure companies can prove compliance. Regulation standards such as CBEST, MIFID2 and GDPR have increased the mandate for companies to shift from annual compliance tick box activities to delivering ongoing assurance of critical systems.
Earlier this month, as part of this strategy, the UK government identified 'operators of essential services' that will be required to comply with the security and incident reporting requirements set out in the European Security of Network and Information Systems (NIS) Directive.
The directive requires the identified businesses and service providers to ensure their technology, data and networks are secured and cyber resilient.
This however, is easier said than done. The growing sophistication of cyber-attacks requires a more robust approach to cybersecurity. It's becoming apparent that simply increasing spend on cybersecurity products is insufficient to combat the rising complexities of cyber-breaches.
With core business applications and their associated data being the biggest targets for bad actors, the first response by most companies is to segment their applications and impose layers of protection around each segment, denying free reign access to mission-critical applications across the network in case of a security breach in one part of the network. A properly implemented segmented environment can limit access by restricting lateral movement, which affords the enterprise a higher level of protection.
The underlying IT systems within these companies are highly complex, and whilst modernising them to provide vigorous cyber protection is not impossible, it is extremely difficult. These existing legacy systems are often decades old with occasional new features added over time, forming a complex patchwork of applications. As a result, companies typically have thousands of applications that are intertwined and interdependent.