'Why spend millions on an iPhone exploit when you can bribe a sysadmin for corporate network access?'
Panel of security experts discusses the latest threats to enterprises
The ways in which enterprise security can be breached by hackers are increasing, with staff often personally targeted where a business' security technology makes more traditional methods harder.
That was the view of a panel of security experts at technology conference IP EXPO this month.
"We need to be realistic about our ability to keep people out who have access to massive resources," said Dave Palmer, director of technology at security firm Darktrace. "We can implement the latest and best tools, but at the same time we need to preserve our ability to be agile and actually do business. Because for criminals, why spend a million on an iPhone exploit when bribing a sysadmin £100,000 will also get you access [to corporate networks]?" Palmer asked.
Palmer's point, though phrased in a way to make CIOs and business leaders quake, is that every angle must be covered in an enterprise security strategy. That means ensuring that staff are trained and monitored in addition to networks, devices and the data itself being properly secured.
Troels Oerting, former cyber crime chief at law enforcement agency Europol, and current group CISO at Barclays, added that the increasing cyber attacks from nations also helps cyber criminals, who are able to make use of the nations' expensively developed technologies.
"The malware nation states use for their attacks sometimes stays in the wild, then we find that criminals use it a couple of months later."
Palmer agreed, but warned that even older, less sophisticated threats are still able to catch firms out.
"We see compromised chips hiding inside hard drives and malware secreted within the BIOS, but we need to be realistic - vast numbers of companies haven't cleaned up Conficker [a computer worm that targets systems running the Windows operating system] from 2007 yet, I still see that every week. And we'll see a large-scale worm infestation like this from seven years ago happening again soon, I'm sure.
"So we don't need to obsess just over the new stuff. I'm surprised we haven't seen more businesses actually wiped out. There'll be a digital survival of the fittest over the next few years."
James Lyne, global head of security research at Sophos, added that the increasing use of Internet of Things technologies within businesses will soon open up a new avenue of attack.
"The Internet of Things will be attacked, and not just by someone hacking into your camera to look at you, because but it's a massive point of transformation in computing. Lots of these devices when you reverse engineer them are running Linux 2.22, which was out when I was a kid! These things [technologies and their associated security] are going backwards!
"Those devices will soon hold data which meets cyber criminals' interests. There is a genuine problem here we need to start chipping away at before it bites us in the backside," Lyne added.
Oerting advised firms to toughen up their security, or risk losing customers as a result - even without being hacked.
"Companies will be assessed by their potential customers to see if they're secure before they do business with them. It's the human firewall, if you will. We need to tighten the technology controls but never forget it's human beings that are operating them."
So what can enterprises do in the face of such a breadth of attacks? Palmer advised making security "mainstream".
"We've got to mainstream security," said Palmer. "The idea that security teams will get bigger [in order to combat increasing levels of threat] is not sustainable. We need to move security to be a thing that people are aware of across the business. So people who run servers need to understand when a server starts doing something it shouldn't, without needing a tap on the shoulder from the security people."
He explained that the way security professionals are trained also needs to change, with educational set-ups failing to mirror the reality of attempting to secure a busy workplace.
"We get trained on best practice and how to make everything perfect, then we get out into real world and are told here's 400,000 Windows Servers, go protect them. We get trained on what's perfect, but in the real world we need to compromise."
Lyne agreed, and added that security teams need to communicate better with the rest of the business, instead of just with one another.
"I've spent the last eight years trying to be an advocate for security professionals taking technical matter and making it accessible. We spend a lot of time telling each other we're right, without telling the average person to change their behaviour," he said.