If all you read are all of the headlines (and there are too many, to be sure) you’d be convinced enterprises are losing the never-ending battle to secure their networks.
Perhaps they are.
And to help turn the momentum, more enterprises are doing more to bolster their security defenses. They are increasing their information security spending, collaborating more on threat intelligence efforts, and turning to cybersecurity insurance policies in larger numbers, according to a global security survey released today.
The most recent Global State of Information Security Survey, based on responses from 10,000 IT and security decision-makers in 127 nations, produced by PwC US in conjunction with CIO magazine and CSO also reported that their information security spending is up from last year, while financial losses from cyber attacks has decreased from $2.7 million in 2014 to $2.5 million this year.
The survey also found that enterprises are improving in their ability to detect breaches that are underway. In fact, enterprises reported a 38 percent increase in detected incidents, this year over last year. They are also seeing more intellectual property theft, which jumped 56 percent over the previous year. Another interesting finding: while both current and previous employees constituted the bulk of attacks aimed at these enterprises, there have been a noticeable surge in breaches attributed to current and former partners and suppliers. Data breaches attributed to them are up to 59 percent this year, from 46 percent in 2014.
+ ALSO ON CSO: Profiling an insider +
Although it’s nearly a decade in the making, the enterprise move to cloud platforms is creating tremendous change in how enterprises use, manage, and protect their applications and data. The research firm IDC expects public cloud spending alone to hit $70 billion this year.
“We are looking at a completely new paradigm for security. When you add always on, always connected and couple all of that with the fact that we no longer are keeping data in our own premises. It completely changes how we have to do security,” says Tyler Shields, a security analyst at Forrester Research.
Also with 69 percent of respondents using cloud-based security services, the cloud has matured, without a doubt, as an established delivery method of security controls and services: real-time monitoring and analytics (56%), authentication (55%), identity and access management (48%), threat intelligence (47%), and end-point protection (44%).
“The only way to effectively perform security in this new environment is to do it at cloud scale. That means you have to actually be able to capture data, analyze data, analyze security related metadata and data, and then make decisions on based on it and enforce your security controls; because to do anything less means that they'll never be able to keep up with the pace of the movement of the data,” says Shields.
Enterprises share intelligence together, or get breached individually
The increase in cyberattacks, especially from nation states targeting critical infrastructure, government agencies, and corporate intellectual property are all fueling the motivation for more cybersecurity information sharing. Earlier this year, President Barak Obama signed Executive Order -- Promoting Private Sector Cybersecurity Information Sharing to promote sharing information security threats within the private sector and between the federal government and the private sector.
“It will encourage more companies and industries to set up organizations -- hubs -- so you can share information with each other. It will call for a common set of standards, including protections for privacy and civil liberties, so that government can share threat information with these hubs more easily. And it can help make it easier for companies to get the classified cybersecurity threat information that they need to protect their companies,” President Obama said at the Cybersecurity and Consumer Protection Summit at Stanford University.
Our survey found, interestingly, when it comes to providing those data sharing standards and methods, among the organizations that don’t collaborate, they reported that it was that lack of sharing processes and standards that were holding them back. The executive order hopes to change that with the creation of Information Sharing and Analysis Organizations (ISAO) that are broader in scope than the current and industry-specific Information Sharing and Analysis Centers (ISAC). The ISAOs will include cybersecurity sharing among specific industries as well as for specific geographies and security events as needed.
“Without effective information sharing, there is no way to know what is actually going on. We can never know if the grid is under attack, or what to do if it is. We can never know if it is just our own problem [within a single organization] or something broader,” said Chris Blask, director of Webster University's Cyberspace Research Institute.
Cyber insurance gains some momentum
If the busy history of data security breaches has taught us anything about cybersecurity, it’s that enterprise security efforts certainly reduces the frequency of cyber attacks. And they may also mitigate the damage done by thieves and attackers, more often than not. But data breaches are bound to happen. Enter cyber insurance. While cyber insurance has been around for decades, and hasn’t managed to grow into more than a small niche: the idea is finally starting to take hold. Cybersecurity insurance is one of the fastest-growing segments in insurance. PwC forecasts the global cyber insurance market growth from 2.5 billion this year to $7.5 billion by 2020.
This year’s survey found that 59 percent of respondents have purchased some level of cyber insurance. Currently, such policies commonly cover data destruction, denial of service attacks, theft and extortion; they also may include incident response and remediation, investigation and cybersecurity audit expenses, other areas of coverage include privacy notifications, crisis management, forensic investigations, data restoration and business interruption.
Blask contends that cybersecurity insurance can, over time, help enterprises better manage cybersecurity risks. “One of the wonderful things about insurance is it can determine what's good enough (security), and the actuarial process will provide the math to help determine what protective measures work and how effective they are. From the insurance perspective, they need to know what [level of risk] they're getting into. That's the entire conversation in insurance right now: how to make better decisions on the cyber security risks they're accepting transfer of,” Blask says.
Use of security frameworks paying off
The survey also found that the long-term investment enterprises have made into security frameworks such as ISO 27001 and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework are paying off. Benefits respondents cited include: the ability to better and more quickly detect and mitigate security incidents (47%), better able to identify and prioritize risks (49%), sensitive data is more secure (45%), and a better understanding gaps in policy (37%).
In the end, all of these security efforts are about helping the enterprise to use technology to be more efficient and succeed. “Enterprises are looking for ways to be more agile, grow, and embrace the cloud more securely,” said Jim Reavis, executive director of the Cloud Security Alliance.
The survey found that a big part of moving forward securely is the use of security data analytics. A sizable 59 percent of respondents are using security data analytics to some extent, and many are citing improvements such as better understanding of external threats (61 percent), better understanding of internal threats (49 percent), and a better understanding of user behavior (39 percent).
“I view security as a collection of security metadata, analysis of that metadata, and enforcement of policy,“ said Shields. “Right now we're at the stage where we're increasing our collection of metadata. Drastically. We're working on ways to get at continuous scans of our web applications so that we have that data always coming in. We can continually assess every endpoint on our traditional network and we can continually assess security enforcement or security metadata from our cloud providers,” he added.
“The next step for improvement is how we improve the analysis. That will be through automation, machine learning, and artificial intelligence,” Shields says.