Recent incidents around cyber security have taught us a few things:

  • Stuxnet and its recent offspring called Duqu show how advanced modern cyber threats have become. Apparently, cyber threats can reach out to places were bombs can’t go and do so unnoticeable at first.
  • Incidents involving certificate authorities like Comodo and Diginotar have shown that these threats can break down the fundament on which trusted communication is built on the internet.

This shows there are highly motived and well-funded ‘adversaries’ in the world who have the means to come up with solutions that are unstoppable. Unstoppable by anti-virus and other malware protection solutions, unstoppable by following today’s common practices in information security.

But all is not lost. I am not trying to create fear, uncertainty and doubt. The threats listed above were targeted at very specific and high profile victims. The average organisation does not have to protect itself against such advanced threats. But then again, which organisation is average? Every organisation has a risk profile, even if it is close to zero. And for any organisation, the potential damage of a cyber-security incident differs.

Cyber threats surfacing in the media may not be the kind your organisation needs to worry about (yet). Your organisation is unique and is best served with a unique combination of measures (mitigating controls in jargon) to protect against relevant threats and taking acceptable risks. Organisations that take information security (and themselves) seriously should implement measures based on risk assessments, not the media.