Increases of global information security threats remain as much a certainty as death and taxes, at least according to the latest Information Security Survey from PWC. That report, which was published in October, highlights several troublesome trends and provides valuable information for those concerned with enterprise IT security. Nonetheless, interpreting the information delivered into applicable best practices remains a challenge for many IT security professionals. Especially those who will be assigned the task of keep their organizations from becoming one of the latest statistics in the battle against cybercrime.
PWC rightly points out that cyber security has become a persistent business risk and that threats (both to the economy and intellectual property) are on the rise. The report goes on to identify some very troubling incidents, including:
- More than half (53%) of global securities exchanges have experienced a cyber attack (IOSCO Survey)
- In South Korea, some 105 million payment card accounts were exposed in a security breach (Symantec Corp)
- City officials in Verden, Germany announced the theft of 18 million email addresses, passwords and other information (TechWeek, Europe)
- Cyber thieves stole more than $45 million from worldwide ATM accounts of two banks in the Middle East (CNet.com)
While the above mentioned compromises prove to be just a small fraction of the security incidents that occurred in 2014, those incidents do reveal some of trends, namely that financial gain is a key motivator for attackers and that even the most secure organizations are still susceptible to threats, two realizations that should be game changers for those seeking to protect IT assets from cybercrime.
Is the victim at fault?
When it comes to cybercrime, the complacency of the victims is sometimes at fault. While that does not excuse the criminal nature of the attackers, it does highlight the need for organizations to be proactive in protecting their assets – after all, the law only comes into play after a crime has be committed, meaning that the numerous anti-cybercrime laws on the books hold little sway against determined cybercriminals.
In other words, organizations should be taking a defensive position and grid themselves for attack as inevitability and as not an exception to the rule. That ideology will prove to be a key factor in the paradigm shift needed to protect against the onslaught of attacks expected in 2015.
PwC is forecasting that global security incidents are on track to grow some 48% in 2015, which should strike a dissonant chord with the majority of security professionals.
Is risk management the answer?
With the idea of a security paradigm shift on the table, today’s cyber-defenders should be thinking in different terms than just traditional security initiatives, shifting their focus towards an ideology of “cyber risk management”, which is being fueled by an initiative founded by the NIST.
The NIST has set forth a security framework (NIST Cybersecurity Framework) that stresses management over technology and highlights several best practices that should help organizations defend against the imminent threats posed by increasing cyber-attacks. While some of the elements of the framework fit under the realm of accepted best practices and common sense, there are other elements that encompass a sea-change on how organizations deal with cyber threats, namely in the core ideology of five concurrent and continues functions that provide a strategic view into the lifecycle of an organization’s management of cyber security risk. Those functions include:
- Identify: Build an institutional understanding of cybersecurity risk to organizational systems, assets, data and capabilities
- Protect: Develop and implement the appropriate safeguards, prioritized through an organization’s risk management process, to ensure delivery of critical IT capabilities without compromises
- Detect: Build the appropriate systems and policies to identify the occurrence of a cybersecurity event
- Respond: Create and implement the appropriate activities, policies and events that must occur if a cyber-security event occurs
- Recover: Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event.
While the NIST states that its methodologies and best practices are optional, the organization does make a strong case for those looking to benefit from a holistic approach to cyber security, and at the very least, sheds some light on what should be an important conversation within any business relying on cyber capabilities to conduct business.
Those charged with the management of enterprise cyber security must delve deeper into what makes up an enterprise’s cyber security ideology and make appropriate adjustments before disaster strikes.