Cyber crime fighters must focus on risk management, rather than prevention

Cyber security professionals should shift their focus from prevention to risk management, Royal Holloway Information Security Group's Dr Stephen Wolthusen told today's Westminster UK Cyber Security Strategy eForum.

"A very sophisticated, server-side attack that could get you into an organisation costs you low five figures – at most," said Wolthusen. "And a highly sophisticated zero-day attack will quickly become part of the general armoury of adversaries."

"I don't actually buy the distinction in the 80/20 rule [which suggests that 80 per cent of cyber attacks can be prevented simply by best practice]," he continued. "Anyone that says it's the 80 per cent threat level that's relevant, if you see the cost to an adversary, realistically it would make more sense for organisations to understand the whole picture than just target the low-level threats."

Wolthusen suggested that, with the notion that "the adversary will already be in the system, happily prancing around disabling the security" taken as a given, "not a great deal" remained to be done.

"The cyber security capabilities that can combat this are likely to be beyond the reach of organisatons, and is likely to stay this way. Because even if you have the budget, you don't have the people that can keep up with it," Wolthusen argued.

Risk management, he suggested, is the way foreward. Though it may be painful to admit this, organisations should recognise "we are not going to get this right. Most of the time we're just plugging holes", he said.

"The one thing we can contribute is a better understanding of what the assets are," he added.

Wolthusen gave an example of a large airport recently left unable to operate a baggage handling system because one of its small contractors had lost control of a system, due to cyber crime, and couldn't repair it.

"Businesses are subdividing their supply chains deeper and deeper, and compliance organisations do not have the reach all the way down," said Wolthusen, adding that focus needs to be on "where those risks are hidden".

"The best thing that we can hope for," said Wolthusen, "when the enemy is already within, is to rebuild forensically the damage done, so others can learn from it.

"The question is, how can we share this information in a way that is actionable."