Businesses need to create response and mitigation strategies for state and hacktivist 'shaming' attacks or go the way of Sony, according to security chiefs from the Met Office, Heathrow Airport and the Economist Group.
The professionals issued the warning at a panel discussion attended by V3 at Infosec 2015.
Mark Jones, chief information security officer at Heathrow Airport, highlighted the 2014 Sony breach as proof that state actors are targeting businesses and non-government groups in a bid to show cyber dominance.
"The state actors have the heavy armaments, the heaviest capability. If we went back to this when it was a closed world it was state on state," he said.
"But now state actors are taking opportunist moves, targeting individual organisations publicly thinking ‘We want to hurt you.'
"You need to consider and put plans together that address the fact that you may be targeted by a state actor. [For example] the Sony attack wasn't about IP theft it was about embarrassment."
The attack occurred in 2014 when a group of hackers, believed to be sponsored by the North Korean government, targeted Sony Entertainment.
The attack was designed to "punish" Sony for its hand in creating a film about a fictional assassination attempt on Kim Jong-Un. The hackers leaked vast amounts of sensitive intellectual property and documents online.
Vicki Gavi, head of information security at the Economist Group, mirrored Jones' sentiments, but added that the hacktivism threat is equally pressing.
"The Sony hack was like any other hacktivist attack, but isn't the sort of threat we're most concerned about," she said.
"We aren't in the business of breaking news. We do analysis so it's unlikely someone will try and steal our intellectual property.
"It's not the main thing we're worried about. We're more worried about a DDoS attack. If our websites aren't available we worry about losing readers."
Jonathan Kidd, chief information security officer at the Met Office, agreed with his peers, arguing that the shift is indicative of a wider evolution in the threat landscape.
"We've got quite a wide landscape of potential attacks. One of the things we've noticed in the last 18-24 months is that the sophistication of the background threat, that may not be targeted, has increased. The threat of advanced malware is growing all the time," he said.
Jones said that businesses should adopt more robust threat modelling strategies which assume that determined hackers will eventually breach perimeter defences.
"We're moving to a world where keeping the bad stuff out is impossible, and we're all working to improve our situational and tactical awareness," he said.
"I'm a big fan of threat modelling - thinking about an actor, an action and an asset and then doing some work that lets you construct and argue about the believability of a threat.
"There are a lot of general risk assessments available. I think that threat modelling lets you articulate your primary threats well to the senior team."
Gavi agreed, highlighting her experience at the Economist Group to articulate the hacktivism threat to executives as proof.
"Early in 2011 we started getting worried about Anonymous. It became clear to us that hacktivism would be a threat to The Economist," she said.
"In December 2011 we ran an exercise for our senior execs that simulated a cyber attack. Anonymous very helpfully puts videos online telling people how to make their videos.
"So I got a student to create one and showed it to the execs. It scared the bejesus out of them. It enabled them to have a discussion about it and it helped us. A week later a competitor was hit. And on 2 January my boss came and asked me how much money I need."
The security professionals' comments follow wider calls for businesses to prepare systems to deal with cyber attacks interested in causing harm, rather than making a profit.
Cryptography expert Bruce Schneier issued a similar warning during an earlier keynote at Infosec.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal