As 2014 came to a close, we got a front row seat to the horror show that was the Sony hack. Now that companies are amidst 2015 plans, the trials and tribulations of the past year are a clue to the most urgent security threats facing companies in 2015, and what steps CISOs should undertake to prepare and protect against cyber criminals.
In the age of big data, bring-your-own-devices and internet-connected supply chains, cybercrime is big business with a staggering 43% of companies having experienced a data breach in the past year. That’s up 10% from the year before.
Despite the rise in breaches, 27% of companies don’t have a data breach response plan or team in place. For this reason, top executives from all disciplines now appreciate that hackers have many sophisticated ways to access critical corporate data. Financial and banking information, customer records, research, marketing plans and confidential emails are all worth stealing – with apps, devices, routers, websites and even the firewall-protected network offering backdoors to clever criminals. Breaches are outpacing security measures.
Cybercriminals have evolved over recent years responsible for organised crime, developing malware and coordinating attacks that are very difficult to preempt and avoid. Hacking is now a lucrative business, that is costing the global economy nearly £266 billion annually.
In 2015, companies will continue to face large-scale vulnerabilities such as Heartbleed, Shellshock and Poodle. Security teams must respond to these vulnerabilities and maintain focus on the scary threats, the unknowns – particularly Advanced Persistent Threat (APT) attacks that don’t just steal data, but destroy it, bringing down business operations. No longer will the greatest threat be someone else having access to your data, but the inability for you to function. These insidious APT attacks are becoming increasingly common, sometimes using a more traditional Distributed Denial of Service (DDOS) attack as a cover for the intrusion – all unknown to the victims.
Addressing these growing challenges, there are three crucial action items that executives need to keep in mind as we enter the new year. Firstly, all organisations must really understand its security strategy and be realistic about the current situation. More often than not, people adopt the attitude that ‘it’ll never happen to me.’ With a clear picture of your business risks and resources, executives will be better able to identify and prioritise next steps.
Many fail at recognising the level of risk exposure and don’t regularly review firewalls and logs. Today, organisations are becoming increasingly anomaly-based, using business intelligence technologies to detect unusual system activity. Periodic reassessment of the security posture will help determine how the current systems need to be improved. Given the pace at which the security landscape is changing, it will certainly uncover some room for improvement.
Secondly, companies must provide the CIO with a seat at the strategy development table, as they will help identify security threats and data-driven business opportunities. You’d be surprised that many businesses don’t implement new policies to adapt to the evolving corporate environment such as BYOD. New strategies will help drive cultural change to prevent security breaches and prioritise planning to mitigate the impact of cyber-attacks. Some businesses are stifled with focusing too much on compliance. There is a need for more proactive risk management.
To keep pace with escalating security risks, CISOs must invest more wisely and ensure that basic security solutions are consolidated. A layered approach to enterprise security is essential to deal with today’s threats and business environments. That said, selecting and updating the right security technology portfolio for an organisation can be daunting, therefore executives often partner with a third party vendor for the additional resources and support to keep on top of new threats and abreast of new technologies.
Sourced from Andrew Edison, Regional Vice President EMEA, AT&T