Enterprises Must go Beyond the Perimeter and Worry About the Surface Area that is Open for Attack and the Challenge of Detecting Attacks Quickly
Cyber security, fraud prevention, compliance with regulations, and anti-money laundering measures are all facets of business defense. Failures in any one of these and a company could be facing significant fines, reputational damage and extensive forensic and remediation costs. For financial services firms, this could mean a ten-year hangover in terms of Operational Risk Capital. The challenges are many and the solutions are not simple.
Yet, simplicity is key to business defense. Complexity, in terms of the number of distinct systems, processes, data repositories, vendor relationships and other variables are opportunities for exploitation. Simplicity is also key in the new layered defense mode – where the outer layers reduce the likelihood of a successful exploit, and the inner layers find the exploits that evade your other controls.
We’ve heard many times about defense of the perimeter–the idea that we need to keep bad people out of systems. But the perimeter is not the only consideration. You must also consider surface area and topology.
Your company’s surface area increases with every device and application that you support – especially if they are all connected. Cyber attacks on corporate systems have come from systems as varied as third party suppliers and Point-of-Sale systems, although they are more likely to come from an infected email or a corrupted website.
Your security processes become strained by the number of devices and systems. Make sure one thousand PCs are patched; how about ten thousand? Deal with dozens of BYOD device types; how about hundreds? Add a new development environment or language to the existing one when each one has different vulnerabilities and requires different processes to secure them?
Complexity also makes it harder to spot anomalies in the system. It’s one of the reasons why break-out fraud and money laundering use hundreds of accounts and transactions. Criminals do their best to hide their activities by hiding in plain sight; mimicking the normal behaviors at the micro level. It’s only at the macro level that the fraudulent patterns emerge. The more systems and processes you have the harder it is to get that macro view; not to mention more costly and time consuming.
Complexity hampers your controls in another way as well. If your control specialists (AML investigators, fraud investigators, and cyber security experts) spend their time acquiring data from different systems or switching between systems to do their jobs they are less effective. A standard response is to dedicate resources to a specific business line or even to specific systems. Unfortunately, this creates silos of information that hamper detection at the macro level. The push for convergence cites the elimination of information silos and an increase in investigator productivity as one of the driving forces.
So are you damned if you do and damned if you don’t? Not really – just follow Albert Einstein’s guidance, “Everything should be as simple as it can be, but not simpler.” Constantly look for ways to simplify your environment including infrastructure, applications and business processes–then work to keep those systems secure. When constructing business cases, include the benefits of reduced risk and lower potential capital costs as part of your business rationale. From a personnel perspective, reward the people that simplify on par with those delivering the latest functionality.
In today’s hyper-connected world it’s not sufficient to worry only about the perimeter. We have to assume that fraudsters and criminals will evade some of our defenses. Therefore, we have to worry about the surface area that is open for attack and the challenge of detecting attacks quickly when they are occurring. In every instance simplification will help.
Related: Complexity is the Enemy of Security