This page contains a Flash digital edition of a book.


and professional in their approach. They innovate just as business does, and the fi nancial rewards grow in line with increasing business use of cyberspace. Cybercriminals now have access to powerful tools and expertise for identifying, targeting, and attacking their victims. All the benefi ts that cyberspace brings to legitimate organizations – collaboration and innovation, faster development of new technology, global connectivity – are also available to attackers. Every hacker group, criminal organization and espionage unit in the world has access to highly effective and evolving capabilities. With unprecedented opportunities for collaboration, there is now an entire malspace ecosystem, complete with marketplaces for buying and selling the tools and expertise needed to target and execute attacks.

All this makes it imperative for governments and enterprises to build up cyber resilience. But how can this best be achieved?

A Proportional, Broad-based Approach Cyber attacks may be hard to predict or prevent, but the way in which organizations respond to attacks is critical to long-term success against cybercrime.

The ISF believes a proportional approach to building cyber resilience is required that balances the need to protect organizations and individuals with the need to enable free, legitimate trade and communications. There is little value in implementing draconian laws, or engaging in a tit-for-tat cyber ‘arms race’ with the inhabitants of the malspace. We have seen a number of initiatives recently proposed by governments around the world for tackling cyber threats. The UK government’s allocation of £650m in additional funding toward protecting key infrastructure and defense assets against cyber attacks by encouraging collaboration between intelligence agencies, academia and business seems a sensible strategy. In Europe, national government approaches to cybercrime will soon be overlaid with EU-wide cooperation, with the

announcement by the European Commission (EC) of plans to create a European cybercrime center, operating under the auspices of Europol. This European center will provide a cooperation hub for defending an internet that is free, open and safe, focusing initially on illegal online activities carried out by organized crime groups. The center will warn EU member states of major cybercrime threats and alert them of weaknesses in their online defenses, as well as identify organized networks and prominent offenders operating in cyberspace. However, opposition from civil rights campaigners in the US to Congress’ proposed Cyber Intelligence Sharing and Protection Act (CISPA) demonstrates how fi ne the line is between acting in defense of people’s rights and freedoms, and being seen as a threat to them. Under the CISPA proposal, private companies and the government would be able to share any information directly related to a vulnerability of – or threat to – a computer network.

retaliation are too unpredictable for such a policy to be effective.

The harsh reality is that this is probably an unwinnable ‘war’, given the increasing sophistication and pace of change in cyber attacks. If we could apply all the best- practice security controls, the incidence of successful attacks would decline, but some cyber attacks will still succeed. What is achievable, however, is to prepare an effective response to the inevitable attacks so that their effect is minimized.

From Cybersecurity to Cyber Resilience

Cyber threats are not just an issue for the information security function: they require the involvement of every discipline within an organization, and its partners and stakeholders. A coordinated, collaborative approach is needed, lead by senior business leaders – preferably the chief executive or chief operating offi cer – certainly a board member. Organizations

Having already passed the US House and awaiting debate in the Senate, the White House has gone on record against CISPA, saying it fails to provide “corresponding privacy, confidentiality, and civil liberties safeguards”

Photo credit: Christopher Halloran/

As tempting as it might seem, treating cyber warfare as analogous to conventional warfare – where the threat of retaliation is deemed enough of a deterrent to prevent a major cyber attack on national infrastructure – is almost certainly a losing strategy. The stakes are too high, and the consequences of

need to coordinate with customers, suppliers, investors, the media and other stakeholders; formulating a resilient response allows organizations to prepare for events that are impossible to predict. This means assembling multidisciplinary teams from businesses and functions /// 25

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52