A recent report from 451 Research and Vormetric found that security executives are in denial about the cyberthreats facing their enterprises, even as breaches become more likely.
Very few clichés are worth repeating. However, in the cybersecurity world, there's one that can't be repeated enough: When it comes to data breaches, it's not a question of if, but when.
The stats for 2015 tell a familiar and sobering tale. There were 38% more cyberattacks in 2015 than in 2014, along with a 56% rise in the theft of intellectual property. In the U.S., a mind-boggling 169 million personal records were compromised, across the major sectors of financial, business, education, government and healthcare. In a CyberEdge Group survey, 52% of respondents believed that a successful attack was imminent in 2015, and 86% in another survey believed there is a shortage of skilled IT security professionals to handle these problems.
"There is no substitute for ongoing learning," Cates said. To illustrate his point he quoted Sun Tzu's famous injunction: "If you know your enemies and know yourself, you will not be imperiled in a hundred battles."
That's a prescient statement, given the unsettling trends that Vormetric and 451 Research's recent 2016 Data Threat Report, which surveyed more than 1,100 security executives worldwide, highlighted.
Taking a step back from the numbers, the report authors describe a state of denial regarding the level and nature of cyberthreats facing organizations, with too much emphasis placed on familiar but ineffective technologies, and consequent misalignments in IT spending.
Cates gave his take on the cause of the denial, talked about technology that does not work, security tools that do, and how companies can improve their security posture.
TechRepublic: The 2016 report suggests that many organizations "remain in denial" about the increasing risks to their data, both from outsiders and insiders. What do you think is causing this?
Sol Cates: Partially, inertia is to blame. For many people's careers in IT, keeping up their firewalls, network defenses, end point security, SPAM filter, etc. has been enough. Their first thought is often that they just need to do a better job doing what has worked in the past. In spite of all the analyst calls to action, reported breaches, and even past breaches in their own organizations (61% have had a data breach in the past) they see it as a failure in their existing tools, not as a call to action to change how they accomplish their goal of protecting their organization.
There is also a perception that data security is complex, expensive, and a barrier to doing business. In the past (and even with some still existing products today) this has been true. Encryption, for instance, once caused up to 30% system overhead, had long complex deployment and maintenance issues, endless complications in managing encryption keys, and challenges in tying it in with identity and access management systems. That's no longer the case today.
All that's required is a re-balancing of IT security portfolios so that increases go into data protection, rather than upgrading tools that are already failing to keep intruders at bay.
TechRepublic: The report also notes continued spending on business-as-usual technologies. What tools are no longer suited to the current cyberthreat environment?
Sol Cates: While we definitely need network, endpoint, and mobile defenses (a short categorization for a very long list of security controls), these solutions should be coupled with data-at-rest and data-in-motion defenses, along with analysis and correlation tools.
The advent of multi-layer attacks that consistently penetrate traditional network and endpoint defenses to compromise credentials and systems has really changed the game. It's a numbers game for the attackers--it costs them little to keep up a high level of threat activity, and only one mistake to result in a compromise. That's why you'll hear from analysts "It isn't if you will be breached, It's when." With this in mind, IT professionals need to shift the emphasis--less on these traditional defenses, and more on defenses for what the attackers are seeking--their data.
Organizations serious about data security need to take a data-centric approach. This includes:
- Encryption of sensitive data wherever it resides (e.g. file systems databases, web repositories, cloud environments, big data environments and vitalization implementations)
- Policy-based access controls to assure that only authorized accounts and processes can see the data
- Monitoring of authorized accounts accessing data, to ensure that these accounts have not been compromised
TechRepublic: Likewise, what are the newer security technologies that enterprises should be looking at and using?
Sol Cates: Technologies enterprises should evaluate closely include solutions that:
- Recognize threat patterns (like SIEM or big data for security instances)
- Apply protections for access controls directly on the data (like encryption, access controls, tokenization and data masking
- Reduce attack surfaces by making it more difficult to connect inappropriately (like multi-factor authentication)
Some of these aren't necessarily new, but that doesn't mean they aren't effective or can't be used in an innovative manner.
Another note is really a change in operations for IT. With IT solutions for compute, storage, database, and even ERP solutions now readily available to business units and individuals, they need to become the trusted partner that helps the organization safely use these resources. Otherwise Shadow IT results. What's needed is to evaluate and select vendors that already meet the IT security requirements of the organization--such as a vendor that already allows the organization to encrypt their online data, and control their own encryption keys and access policies to maximize enterprise control. The alternative is chaos.
TechRepublic: What are the most important steps that IT leaders can take to enhance their organizations' security posture?
Sol Cates: First, a dose of reality is required. The IT security solutions of the past won't provide the complete protection organizations need in the future. Deal with the change and shift spending and emphasis to add protections that can work even if these traditional defenses have been compromised. Encryption of data at rest and in motion, access controls to encrypted data, data access monitoring, security analytics and enhanced multi-factor authentications are all protections that can help to radically reduce the attack surface once an invader finds their way in, or an insider turns malicious.
When looking at these solutions, it's up to the team to select the solutions that will work for their organization's operation and workflows. Cybersecurity needs to work for the people it protects. If it starts to stymie their productivity, their passion and their drive, IT teams have a problem on their hands. Some questions IT teams should consider when evaluating exactly what might stand in the way of meeting these goals include:
- Does the implementation include support for effective central management of data security policies and implementations?
- Does it involve new, complex hardware or increasing operational burdens?
- Is there a performance impact on transactions?
- Can you transform data to a protected state without long shut down times, and undue demand on infrastructure?
- Will employees experience major changes in how they work?
- Will it allow for flexibility in changing architecture and implementation without putting data at risk?
- Can the solution support both internal needs, as well as enable use of new technologies like SaaS solutions, IaaS/PaaS, Big Data and others?
If the answer to too many of these questions is no, then it's time to go back to the drawing board. One example--privileged user data access controls. The solution needs to work in a way that doesn't fundamentally change the way people work. Allowing these users to get their jobs done, but not exposing data to additional risk.
- Rise of the CISO: Why the C suite needs a security chief (TechRepublic)
- Tech, privacy and security: A debate we need to have (TechRepublic)
- Why CXOs ignore data quality problems (TechRepublic)
- Healthcare IT's battle to keep sensitive data safe (TechRepublic)