There was a time when IT security conversations were all about the network, with a focus on monitoring and controlling incoming and outgoing network traffic based on predefined security rules. By adding more walls and watching everything that entered and left the network, IT could safeguard corporate infrastructure and data. The endpoint was an afterthought—throw in some anti-virus, and maybe some encryption, then call it a day. Everything has changed.
The Ponemon Institute, on behalf of HP, released the 2015 Cost of Cyber Crime Study, which seeks to understand which cyber attacks are most common and most costly and which defences are most effective. Central to this year’s report is an awareness in the growing attack surface for cyber criminals to exploit, brought on by mobile and the cloud.
Statistics show that almost half of all organizations suffered at least one serious security incident / data breach in the past 12 months, a figure which grows year-to-year. Some estimates place the figure higher, closer to three-quarters of all organizations. In healthcare, the percentage of organizations who have suffered a significant data breach or security incident ranges from 68% of organizations in the past year to 91% in the past two years.
The idea that ‘people’ are the root cause of data breaches is starting to hit home with executives. According to the Verizon DBIR, 90% of all security incidents back to ‘people,’ whether mistakes, phishing, bad behaviour, or lost stuff. ‘People’ can leave organizations exposed to cyberattacks, by using bad passwords hygiene, losing a device, succumbing to a phishing scam; the end result that gets publicized is a cyberattack, but addressing data security requires looking to the root cause: ‘people.’
“We trust our employees, that’s why we don’t… “ restrict their access / secure their personal devices / restrict the movement of data. Trust is an interesting thing, when it comes to data security. Can you rely on trust alone? The answer is no, and not because employees can’t be trusted (though sometimes malicious intent does compromise data), but most often because employees make mistakes.
Information security incidents continue to spike; there has been a 38% increase in detected information security incidents in the past year. Attacks on mobile devices went up to 36% of incidents, up from 24% just a year prior; the result is more adept assaults, combined with new risks to data introduced by the digitization of business functions, mobility, the cloud and greater user of data analytics. We are seeing a realization that combating these threats is about more than just technology, but rather an approach that requires organizations to rethink their approach to information security from the top-down.
Data is the lifeblood of today’s digital businesses. Protecting it from theft, misuse, and abuse is the top responsibility of every S&R leader. Hacked customer data can erase millions in profits, stolen intellectual property, can erase competitive advantage, and unnecessary privacy abuses can bring unwanted scrutiny and fines from regulators while inflicting reputational damage.
The SANS Institute released a report earlier this year on Insider Threats and the Need for Fast and Directed Response. The report talks about the importance of recognizing insider threats, whether accidental or intentional, why they occur and their implications, which often are more dire than external attacks alone.