Data can be safe if businesses take into account value-at-risk rather than the cost of implementing security controls.
What if your security was breached? The question is not about “If” anymore, really. It’s only about “When” and “How”....
Recently, the information security industry was abuzz with yet another data breach story, holding at risk some 40 million debit/credit card customers of a retail giant. Data breaches just don’t seem to stop, and many of the companies are Fortune 100 multinationals with multi-million dollar budgets for security. If that’s not bad enough, what about SMEs who form the supply chain for bigger organisations and handle confidential data on behalf of their clients? They are more prone to risks due to reliance on cloud based shared platforms, use of freeware/shareware and lower, loosely enforced security policies, low budgets and lower expertise for security, etc.
Legacy data is at stake
The preliminary question that comes to every CISO’s mind is, are enterprises focusing on securing the legacy applications which were developed in an era when security was not even an afterthought? Such applications, which are no longer supported and have no patches, can pose a major threat to the data. While we grapple with the threats from Social-Mobility-Analytics-Cloud (SMAC), another threat is emerging virtual currency. This is growing in popularity with businesses, and will probably grow further and enter mainstream currency markets soon. Enterprises may also eventually start accepting payments in virtual currency. Virtual currency is a lucrative target for criminals, because stolen currency can be cashed out instantly through ATMs. Moreover, many virtual currency users are not experts in security and are probably unaware of the risks. We can expect trojans and other malware that specifically target virtual currency, as well as ransomware that demands virtual currency in return for decrypting data, will only increase. How do breaches happen?
Why do these breaches happen?
When we look at the root cause of such events, we invariably find some basic issues which led to the losses. It is generally the weakest link which gave away. While security product companies are spending millions of hours in research and developmentof sophisticated security appliances and next generation, intelligent security software, and global corporates are spending more and more on security solutions and services, why do these fail? It is said that cyber criminals are always one step ahead and exploit zero day vulnerabilities or find chinks in the armour by harnessing APTs. Or, it could be the attitude of enterprises that turn a blind eye to known cyber risks in their quest for top line targets or their endeavour to be the first to use new technologies where risks are not fully known. Are corporates getting on to the SMAC bandwagon without assessing the risks and putting effective security controls in place? One of the reasons could be that enterprises do not contemplate having a CISO, which is a specialist role independent of the CIO, to avoid conflict of interest. Most enterprises are content with an IT security specialist reporting into a CIO or Head–IT. Is this function equipped to evaluate the risk in a holistic manner? What about people risk?
How do you secure data smartly?
From a technology standpoint, businesses need to focus on an integrated approach of endpoint and network security along with data-centric controls like DLP and DRM for discovery, prevention, detection, response and audit. Enterprises should also share intelligence to improve situational awareness and real time information for quick response to the threats.
Enterprises should do a thorough risk assessment before venturing into new technologies and harnessing SMAC, especially when dealing with confidential data. Technology alone will not solve this problem; it is a combination of people, processes along with the right technology which is required to manage this risk effectively. Also, investing in the right expertise, whether on-roll or through a consultant or a combination, is essential.
If businesses give serious thought to this ever-evolving threat landscape, they need to think different and be proactive. Information security needs to evolve into an information risk management function independent of IT, but of course working very closely with IT. This function should not be seen as a control to stop bad things from occurring, but instead as an enabler for business to become more agile and effective in meeting the objectives. Businesses need to take into account Value-at-Risk rather that the cost of implementing security controls.
Breaches have the potential to seriously impact the continuity of business through reputation damage, regulatory sanctions, loss of Intellectual Property, frauds and monetary losses. Are you prepared to face this clear and present danger?