Recent research into the pressures on security executives has confirmed what will be obvious to anybody who works in the cybersecurity field: good security is hard. Very hard.
Despite the wealth of new security technologies in the market, everyday challenges around security have increased fuelled by the explosion in new threats like ransomware and business email compromise (BEC), which have loaded threats of business interruption and large-scale fraud onto the pile of consequences that CSOs and their peers face if they fail to secure the business.
Yet pressure has also increased as cybersecurity comes out of the basement, writ large on the front page of newspapers covering Russia’s hacking of the US election, the disaster of Australia’s eCensus, and the firing of many CEOs who failed to prevent their colleagues from falling prey to malevolent scammers. Little wonder that fully 53 percent of the 1600 respondents to the Trustwave 2017 Security Pressures Report – and 55 percent of Australian respondents – said they felt more pressure to secure their organisations in 2016 than in the year before.
That may be down from the 63 percent figure in 2015, but it still reflects a fast-growing burden on security executives as they come to grips with a climate in which 35 percent said their organisations are not safe from security threats – up 9 percent over the previous year.
Security practitioners were most afraid of a security breach leading to theft of customer data and personally identifiable information (PII) – and with good reason, since Australia’s recently-passed data breach notification legislation will put such failures on public display with likely significant consequences.
Executives will be leaning on CSOs to ensure and demonstrate that company data is adequately protected – and their jobs are well and truly on the line, with another recent Trustwave survey suggesting that a data breach that becomes public is a fireable offence at 38 percent of companies.
Other concerning vectors for breaches included ransomware and intellectual property theft, with practitioners most concerned about their responsibilities to identify vulnerabilities and stop the spread of malware.
Advanced security threats and a shortage of security skills were the areas applying the most operational pressure on respondents, with cloud, Internet of Things (IoT) and social media presenting the biggest technological security challenges. With all three well and truly on the operational radar, security professionals were more concerned about the pressure they would be under in 2017 – with 57 percent expecting it to increase over the course of this year.
More data, bigger risk. Cybersecurity specialists may be under the pump, but it’s not without good reason. A recent IBM analysis found that over 4 billion data records were breached during 2016, while Gemalto’s 2016 Breach Level Index concluded that rampant abuse of identity theft (responsible for 59 percent of all data breaches) and account access (54 percent) had driven a trend towards compromises of bigger databases with large volumes of personally identifiable information (PII).
Stealing that PII will most certainly be a key focus for cybercriminals in 2017, and figures from Gemalto’s research confirm that a number of industries are particularly in their crosshairs.
Healthcare, for one, accounted for 28 percent of all breaches – up 11 percent over a year earlier, although the number of records compromised dropped 78 percent in the same time. By contrast, government targets, which accounted for 15 percent of breaches during the year, saw the number of compromised records grow by 27 percent in the same time.
“Knowing exactly where data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organisations,” said Graeme Pyper, ANZ regional director with Gemalto.
“Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high value targets…. It’s about protecting your business’ data integrity, so the right decisions can be made based on accurate information.”
To make this happen, it’s imperative to put the business-IT gap well behind you. CSOs must work with senior executives and board members to lay down comprehensive plans to not only minimise exposure, but to streamline recovery plans should the inevitable breach slip through.
This means painting cybersecurity risk in business terms, such as the cost of downtime should a ransomware attack take down a department handling core business functions, or the potential damage to customer relationships should PII be stolen and published en masse. Here, you may find inspiration and guidance in Europe’s new General Data Protection Regulation (GDPR), which governs the use of European Union citizens’ PII.
While it may not directly apply to your company, it’s nonetheless a worthwhile model for evaluating and minimising cybersecurity risk. Like Australia’s new mandatory data breach disclosure legislation, GDPR will come into effect in 2018 – meaning that you should already be well advanced in evaluating your exposure, compliance, and any related areas.
GDPR incorporates a slew of best-practice guidelines that will also, thanks to its breach-disclosure component, offer invaluable guidance for businesses working towards clear breach-notification practices.
FireEye security consultancy division Mandiant, for one, called on law firm DLA Piper UK, whose analysis of the GDPR and its implications recommended that organisations develop effective incident response plans that are placed within a “coherent governance framework that supports compliance with all other aspects of the GDPR.”
“If a breach occurs,” the firm’s analysis recommended, “expect the regulator to look at the adequacy of the wider security measures adopted by the business, and the overall approach to information management and privacy compliance. Organisations that have a clear story to tell will be best placed to mitigate the risks of major fines.”
Recommendations include technological controls like network segmentation and data segmentation, as well as regular tabletop exercises to stress-test companies’ ability to comply with breach-reporting requirements.
“Nowadays simply protecting critical business assets isn’t good enough – some attackers are looking to disrupt business until a ransom is paid, so organizations must focus on securing what is needed for regular operations to continue.”
“Security operations teams can now better identify, prioritize and address some of these threats with intelligence-led automation and threat hunting, but they cannot overlook the core fundamentals and best practices such as network segmentation and data segregation.”
Re-evaluate your risk. Despite its value as a strategic security policy framework, GDPR remains an elusive goal for many companies: a December 2016 Veritas-Vanson Bourne study found that fully 54 percent of companies have not advanced their GDPR compliance readiness; many weren’t even sure who was responsible for compliance with the guidelines, with just 21 percent nominating the CSO while 32 percent nominated the CIO and 14 percent, the CEO. Clearly, cybersecurity is still seen in many circles as being an IT issue – although progressive companies know better.
Even as increasing pressure and common purpose bring CSOs and executives closer together throughout the year, the growing threat climate will threaten to tear them apart as seemingly ubiquitous security vulnerabilities cool CSOs on aspirational new technologies, such as IoT and artificial intelligence, that depend on masses of new data but may be difficult to secure adequately to meet broader corporate objectives.
The newly expanded best-practice recommendations embodied the Australian Signals Directorate’s ‘Essential Eight’ cybersecurity guidelines will help guide CSOs’ efforts to plug yawning gaps in their security policies, but filling in the fine cracks will prove testing for even the most technology-ready organisations.
This is not only because of the technological and policy obstacles that today’s CSOs face, but because they are still facing slow progress in key areas such as the lack of security skills and budgets that continue to exert drag on ambitious plans for cybersecurity renaissance. The sheer scope of the necessary protections is also a factor: if you’re not applying the same level of rigour to examining your partners’ and suppliers’ environments as you do to your own, you’re probably missing some potential vulnerabilities that are right in front of you.
Even within organisations where cybersecurity is putatively recognised as a strategic priority, many business and IT staff are struggling to translate awareness into action. A recent Minter Ellison survey of legal staff, risk managers, COOs and board members warned of businesses’ complacency in testing their cybersecurity resilience – and that of their partners – as well as noting an increase in cyber insurance that suggests many businesses are favouring conventional approaches to risk management.
The figures showed a rapidly growth threat amongst surveyed companies as well as rising discontentment around existing cybersecurity protections. Fully 18 percent of respondents said their organisations had been hit with more than 5 cyber incidents in the previous 12 months – up from 8 percent a year earlier – while 40 percent were dissatisfied with their organisation’s ability to prevent cyber incidents.
Perhaps most frightening, 42 percent of the Minter Ellison respondents said they do not have a data breach response plan – and of those that do, nearly 44 percent said they do not regularly test that plan annually or more frequently.
“There has been little change in the practical actions that organisations are taking in order to address cyber risk,” the firm’s analysis warned. “It is the potential scale and severity of damage to organisations that elevates cyber risk beyond the realm of IT risk alone, transforming it into an enterprise-wide risk, and one requiring appropriate Board oversight.”
The report’s authors recommend that businesses undertake 12 key steps to embed cyber resilience in their organisations. These include identifying the extend of the organisation’s exposure to cyber risk; developing and implementing procedures to protect the organisation; deploying the human and technical resources required to identify a breach in a timely manner; and having procedures in place to respond to, and recover from, a cyber breach.
An action plan for 2017. Increasingly serious security breaches – and increasingly serious executive conversations about cybersecurity – reinforce the idea that CSOs should make it a key priority in 2017 to be heavily engaged across the business to carefully inventory existing and potential cybersecurity risk. This is hardly news for those in security, but survey results continually suggest that it will still come as a surprise to business executives that still remain more focused on day-to-day operations than long-term cybersecurity goals.
Even as they work to educate staff about the depredations of ransomware and how to avoid it, security specialists must also be working with business leaders to draw up plans to minimise the potential damage of these and other attacks. This includes improving backup regimes, extending infrastructure resilience, and investing in better monitoring tools to help ensure that anomalous behaviour is quickly discovered whether on the network or in the cloud.
In many ways, the free ride – if you can call it that – will definitively end as this year rolls to a close. With looming data breach notification promising a significantly altered operating environment in 2018 – and even more pressure from executives for whom public discussion of their cybersecurity failings is not something they want to experience – it’s up to CSOs to take the initiative, unite business risk managers and everyday users, and rally the company’s defensive and offensive resources in any way that’s necessary.
A cybersecurity reckoning is coming to separate the wheat from the chaff – and this year, it’s time to decide which side you’ll be on.
Useful infog that can be repurposed for the story (credit to Gemalto 2016 Breach Level Index Report): http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg