Security Is No Game
Security Is No Game
Back in the early 80s, the BBC Micro had only just emerged on the market and computer games were in their infancy. They were a novelty in which I had a passing interest, but it wasn’t until my late teens with the advent of the PlayStation and games like WipeOut that my interest was piqued.
This year I was introduced to Clash of Clans [CofC] by my eight-year-old son who cajoled me in to installing it on his iPad one afternoon on the walk home from school. For those not familiar with the game, CofC is a web-based multi-player war game played on tablets and handhelds. The central theme is warfare – you develop and protect your own virtual fiefdom from unknown attackers who seek to destroy your defences and steal your prize possessions. You are similarly rewarded for enacting attacks upon complete strangers and avenging those who have attacked you. It’s seriously addictive and its successor, Clash Royale, is just as engaging.
The growth of the cybersecurity industry and its adoption within Financial Services has tracked that of the mobile games industry in consumer markets. Indeed, I see many parallels between the new breed of mobile multi-user games and a field of technology I have focused on over the last couple of years – cybersecurity. Here’s why:
– Both industries offer significant revenue opportunities.
– Both gaming and cybersecurity vendors have increasingly opted for cloud deployments.
– Gaming and cybersecurity markets have seen high levels of M&A activity:
– The Wall Street Journal asserts there were 133 security deals in 2015 versus 2014, surpassing mobile technology deals for the first time.
– Software houses that disrupt the market are being bought by well-established firms to either acquire their IP or knock out the competition.
– Both industries have developed pay–as-you-use utility models to entice their customer base and reduce the cost of entry; with gaming it’s free to download software coupled with in-app purchases, with cybersecurity, it’s FOC anti-virus installs coupled with other product offerings and yearly support contracts, thereafter.
The synergies extend further, even in the decisions users of the platforms are tasked with. For example, let’s compare CofC with real-world IT challenges faced by IT security teams. It might sound a little odd but consider the following:
– Just as with mobile strategy games, attacks on your infrastructure can originate from any source.
– You need to think like an attacker, and the more you do, they more you mitigate the threat of an attack.
– The more attractive (read ‘easily attacked’) you make your infrastructure, the more you invite trouble.
– There is a wealth of best practice advice out there to lean on – from planning through to configuration to improve your defences.
– The defences you put in place must be appropriate for the possessions you seek to protect.
– Buying resources (whether cannons or walls in CofC, or expensive perimeter security appliances in the real world) isn’t the whole answer, and whilst investment is key, there’s no substitute for the skills and planning that go in to protecting your “castle”.
– The friendly attack (aka penetration test) is an invaluable tool:
– It gives you a reality check and pinpoints weaknesses without inflicting any damage.
– It may even highlight or convince you of areas that require further investment to secure to secure your defences.
That said, all of these analogies only represent the outsider or unsolicited threat in the cyber-security world. In CofC, even if someone copies my “clan config”, or raids my Town Hall, it presents no long-lasting damage, no confidential data is lost.
Regardless of their origin, cyber-attacks and resulting data breaches can be devastating. The 2015 Cost of Data Breach Study estimates that the average security breach costs $3.8m, with every individual record lost or exposed costing $154.
Furthermore, whilst role play games may offer you the ability to replay how an attack played out, the same isn’t true in the real world. Even with the best logging facilities, in all probability you will need to engage forensic specialists to track the chronology/origin of any attack, and to recommend steps to mitigate the next event.
According to the WSJ, financial losses have exploded over the last three years, growing 5-fold in three years rising to $500 billion, and with the potential to rise to $2 Trillion by 2019. Against this backdrop, the insurance industry generated $2.5 billion in cyber insurance premiums last year with premiums rising to $3 billion this year.
In summary, whilst cyber warfare games may attract similar investor money and the challenge may appear the same, one is simply a game, the other is becoming a significant cost and a crucial differentiator in this industry.
John Bryant, Options CTO