Security execs call on companies to improve 'cyber hygiene'

Cyber security chiefs have called on companies to conduct better "cyber hygiene" focusing on preventing basic attacks, rather than obsessing over the threat of nation state-backed hackers.

The industry has begun to think of cyber crime as akin to a public health issue, whereby companies and individuals must be encouraged to do the online equivalents of washing hands and getting vaccines.

Casey Ellis, chief executive of Bugcrowd, a security start-up that connects companies with researchers who discover vulnerabilities in their systems, said up to 90 per cent of attacks could be prevented by doing basics such as keeping software up to date.

"Making sure you are patching your systems, you're doing all of the simple things that you know are more about discipline than they are about any kind of creativity. The other 10 per cent is quite difficult and that's where I think human creativity can come in to solve that piece of it," he said.

Corporate boards are paying increasing attention to cyber security after high-profile attacks on Sony Pictures, and US retailers Home Depot and Target. But many are struggling to understand how to spend their limited budgets effectively against a fast-changing threat.

Geoff Webb, vice-president of solution strategy NetIQ, an identity and access management company, said attackers are now picking off organisations one at a time because they are not working together.

"We're really looking for something like herd immunity where organisations can actually strengthen each other as opposed to operate single weak point targets," he said.

Although money is pouring into the sector, some cyber security leaders believe their customers have become obsessed with acquiring the latest security gadget without implementing security properly.

Mr Webb said buyers typically focus on infrastructure and technology, rather than considering employees' access to information. Many attacks are the result of hackers commandeering employee accounts and then moving around the network.

Rick Howard, chief security officer at Palo Alto Networks, a New York-listed next-generation firewall company, said companies also fail when they spend lots of money on a "shiny new box", but do not devote enough resources to maintaining it.

But in an industry still reeling from the revelations of Edward Snowden, the former US National Security Agency contractor, and mistrustful of a government push against encryption, cyber security chiefs are unsure how much they would like to rely on the state to set and police basic standards of cyber hygiene.

JJ Thompson, chief executive of Rook Security, a managed security service company, said it was a "very delicate challenge" to get the balance right.

"The level of involvement the government should have in pushing cyber hygiene is really challenging because there are people who are going to say it should be like a vaccine: you require an MMR shot for kids before they go to school because you don't want the absence of that vaccine to cause harm to other kids," he said. "Likewise you could make the argument that it is important for a cyber inoculation of sorts to take place on all laptops, computers, cell phones, mobile devices and others."

But, he added: "The challenge with that is you are forcing people to take a stance with something it would be like almost an invasion of privacy to a certain degree."

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation