The New Mindset Required for Making a Dent in the World of Cybercrime

September 9, 2016

by Andrew Bycroft


We all know that cybercrime is increasing and likely to jump from a $75 billion problem last year to a $170 billion problem in 2020. Most will argue that this out of control spiral is unavoidable. It’s just the nature of the game. We will always be one step behind – that much is true. At the rate we are traveling, though, we are slipping behind by not just a step but a mile.

There are five possible states of preparedness that an enterprise can be in when faced with the battle of cybercrime. Ironically, most enterprises seem to fall within two of those states, and it should come as no surprise that those states are a long way from where enterprises need to be if they want to have a fighting chance of defeating cybercriminals.


The first state is known as vulnerable. In this state are many smaller enterprises that have made the assumption that dealing with cybercrime is expensive or out of their control. These enterprises usually do nothing and pay the price when it comes to recovery from incidents. Fortunately, most enterprises have moved beyond this state.


The second state is reactive. In this state are those enterprises that have a goal of achieving security, which is the majority of enterprises. What typically happens is a focus on prevention using traditional technologies, such as firewall, intrusion prevention and anti-malware, as well as spontaneity as these technologies increasingly struggle with emerging threats. This makes for a lack of consistency and unnecessarily lengthy incident recovery times.


The third state is compliant. In this state are those enterprises that have a goal of achieving one or more regulatory compliance objectives and typically do so because they are mandated. If it wasn’t for regulatory bodies auditing and imposing penalties for failure to comply, these enterprises would most likely slip back to the state of reactive. Whilst compliance seems like a great goal to achieve, it is based on a limited set of static criteria with a limited scope at a specific point in time. Target was PCI-DSScompliant, but it was still no match for theft of credit card details from POS terminals by cyber criminals in 2014.


The fourth state is proactive. In this state are those enterprises that have an emphasis on awareness of risk. Very few operate in this state. These enterprises are more strategic in their planning, and the scope of their efforts is enterprise-wide. They do not just focus on the target scope mandated by compliance, and they generally follow well defined processes to ensure consistency in responding to similar incidents.


The fifth state is resilient. In this state are those enterprises that go beyond risk awareness to risk understanding. Across the entire globe, the number of enterprises in this state is in the double digits. These enterprises excel in communicating risk throughout the enterprise; they have the entire enterprise engaged, from the directors who are accountable for fighting cybercrime to everyone else. Adaptability is a key outcome for resilient enterprises. They might get knocked down from time to time, but they always get right back up again. Risk is seen as an opportunity rather than a danger in resilient enterprises.

One common question that I am asked is what is the difference between security and compliance. Security is a binary state. An enterprise is secure or it is not. Nobody would call a bank vault that is broken into or a prison broken out of “secure.” Resilience, on the other hand, goes beyond the mindset of prevention to include identification and remediation of vulnerabilities; prediction and prevention of threats; detection of and response to attacks; and confirmation and recovery of breaches.

Previous Article
Is the future of cyber crime a nightmare scenario?
Is the future of cyber crime a nightmare scenario?

Next Article
Are all IoT vulnerabilities easily avoidable?
Are all IoT vulnerabilities easily avoidable?

Security Gaps, Network Intrusions. IoT, The Unusual Suspect.

Watch the Video