'We can't win the war against hackers' says Thomas Cook cyber security chief

Dean Atkinson tells Computing's Enterprise Security Summit that focus should be on damage limitation

Organisations and businesses are in a cyber security war against hackers and criminals that they can't win, so should focus more resources on damage limitation.

That's the warning from Dean Atkinson, global head of cyber security operations at Thomas Cook, who was speaking at Computing's Enterprise Security and Risk Management Summit 2015.

"I wonder if we need a paradigm shift from a security perspective, because I think we're in a war we can't win, we're not going to beat these attackers," he told the audience of IT professionals at London's Hilton Tower Bridge hotel.

Atkinson likened the approach that many take towards enterprise security to an army trying to battle unpredictable guerrilla forces.

"If I was going to use a military lexicon, we're facing a very dynamic enemy which is hugely funded, hugely targeted, hugely focused; an agile, well-funded, guerrilla force and we're still acting like nation state armies and there's only one winner in that environment," he explained, highlighting how conventional armies struggle to defeat well-organised guerrilla forces.

The best course of action, he argued, is for the enterprise to take control of its data, work out what needs to be protected and have a plan for damage limitation.

"We need to focus on our information, drill down and figure out what's important to us, and where that information is stored," he said, adding that it's vital that enterprises can "recognise when something goes wrong and react to that".

Atkinson said the most obvious target for cyber criminals is information that they can make money from.

"It's not a difficult concept, we are holding information that attackers want so it can be monetised. The loss of that information will impact the organisation's bottom line; look at TalkTalk. So the concept isn't difficult," he said.

Computing Research - presented at the start of the summit - suggests that the board now understands the need for enterprise security. However, Atkinson claimed most business leaders still grossly underestimate the investment needed to minimise threats and limit damage in the event of a breach.

"From a board perspective... they get the risk, it's not difficult, they get that. What they don't get is how much they need to invest to mitigate against it," he said.