As we wipe our brow from “breach fatigue,” rest assured, the exhaustion is not over. In fact, it’s far from over. Companies are grappling with the increased demand to protect their information and assets from the growing threat landscape.  At the same time, they are trying to manage a shrinking budget and a constant push from the C-suite to do more with less.  This delicate balancing act sounds impossible when trying to secure your company, but with the right focus and support, it can be done.  But first, why do you need security, and how do you approach it more strategically?

Breaches Impact Your Bottom Line

A security group and security program do not have to be seen as a large cost center, but rather a value add proposition. Solutions can be scalable based on the size of an organization. Throwing money at securing a business is not only unnecessary but is also a reactive practice that should be avoided.  Companies need to be proactive by having a strategic plan.  When building an organized security program, one thing must always remain consistent: it should be composed of a multi-layered approach, also known as Defense in Depth (DiD). The National Information Assurance Partnership (NIAP) supports a three-pronged approach for such defense: people, technology, and operations.  It boils down to this:

  • People: Hire the good people, implement continuous training, and reward them well.
  • Technology: Deploy solutions that support a layered network defense strategy.
  • Operations: Enforce security policy, respond rapidly to incidents, and restore critical services as quickly as possible.

The idea behind a layered approach is that it creates more obstacles for intruders. Networks with more obstacles make less secure networks appear more attractive to intruders. But let’s be honest, despite best efforts, the intruders can still make it through. Don’t let this discourage you. Companies will always have incidents to manage and vulnerabilities caused by people and technology. The incidents and vulnerabilities shouldn’t deter the quest for a sound security approach. Doing nothing is not an option.

As threats become more sophisticated, let’s take a look at what happens when they culminate into a security incident or a data breach. But first, what’s the difference between a security incident and a data breach and why should you care?  A security incident is any event that compromises the confidentiality, integrity, or availability of an information asset.  A data breach is an incident that results in a confirmed disclosure (not just exposure) to an unauthorized party.  Security incidents are plentiful and often should be an expected risk of doing business. When identified, not all security incidents are required to be reported.  Breaches, however, must be reported and follow a specific protocol to inform all those affected by the data loss. Breaches are what we see splashed across the headlines resulting in substantial monetary loss and, in some cases, heavy regulatory fines. The most critical effect is the long-lasting reputational damage and declined customer confidence companies can experience after a breach.

Battling Breach Fatigue: Breaches impact your bottom line, no matter how big or small the business.

In the last year, over 90% of businesses surveyed by Kaspersky Labs experienced some form of external threat, ranging from minor to significant (“Global IT Security Risks Survey,” 2015). 22% of businesses lost data as a result of those threats, which culminated into data breaches.  These percentages showed that an average cost of a data breach for small and medium businesses (SMBs) is $38K. For larger enterprises, it rings in at $551K.  To add to the financial blow, 60% of businesses that suffer a breach report that their ability to function afterward is severely impaired. This includes system downtime. SMBs reported an average of $16K in lost business opportunities due to system downtime after a breach.  Enterprises were hit with an average of a $203K loss.  This impact can be considered a "one-two punch," an immediate financial loss quickly followed by a secondary loss of potential sales opportunities.  Because of the looming threats, Gartner predicts by the end of the year, cyber security spending will reach nearly $80 billion, an increase of about five percent over 2014. Breaches impact your bottom line, no matter how big or small the business (“Gartner Says Worldwide Information Security,”2014).

Top Security Priorities in 2016

Now we know what happened over the last year, but what are the top security priorities in 2016 to help prevent incidents and breaches? Note: All these can be baked into a Defense in Depth (DiD) strategy:

  1. Malware Detection
  2. Preventing Data Leaks
  3. Patching/Vulnerabilities
  4. Securing Cloud Infrastructure
  5. Continuity of Service On Systems
  6. Focus On Security of Third Parties
  7. Physical Security of Systems
  8. Securing Mobile Devices
  9. Securing Virtualized Infrastructure
  10. Security Awareness Training

But wait! Why are we spending $80 billion and rising year over year to secure data?  There’s no arguing that information security is a necessary investment. In financial investing, people don’t throw money at a stock without first understanding risk and potential ROI. Security is no different.  I’m not surmising we spend less on security. Instead, we need to invest more wisely to maximize ROI.  Companies should not spend money on pricey tools they will never use or systems and software that end up underutilized.  That doesn’t mean the CFO should slash budgets and demand more for less. Rather, it suggests taking a structured, holistic, and risk-based approach to security.  The method needs to be reasonable and scaled to protect the organization as it grows and changes.  Below are some basic requirements companies must implement, at a minimum, to understand their risk of exposure as we move into 2016:

  1. Conduct a security risk assessment. Identify the scope of your systems and focus on where confidential and restricted information is stored, processed, or transmitted.
  2. Understand the threat landscape and the vulnerabilities that can be exploited.
  3. Estimate the impact of a vulnerability if it was exploited using a classification matrix to identify the level of impact.
  4. Determine the risk using a risk matrix that identifies the likelihood of a threat, magnitude of impact, and adequacy of existing controls around the risk.
  5. Identify controls that could reduce or eliminate the risk.

Organizations that do not have the resources should look into outsourcing security. Many companies can shepherd them through the process without charging astronomical fees and bulging their budget.

Finally, as we move into 2016, Gartner has predicted 5 key security trends on the horizon that will affect the way companies approach security. The security priorities noted earlier will be impacted by these trends. All should be considered when building your DiD security program.

  • Mind the Gap.

Companies are having an increasingly difficult time filling open security positions. Qualified candidates can afford to be picky, and they want to be assured the security is endorsed at the highest level.

  • Back to Basics

Chief Information Security Officers (CISO’s) are moving away from dumping money into tools and technologies that will never be implemented or not used to their fullest potential. Instead, they make smarter, more targeted decisions that support the fundamentals of security first, such as security awareness training and policy restructure.

  • Across the Pond

In 2016, US companies will be faced with tough decisions and tradeoffs if they continue or plan to invest in some international markets. For example, China demands a backdoor software and technology access from their business partners. Backdoor into software and technology may expose intellectual property and other sensitive data. The risk may not be worth the reward for many CISO’s looking to expand business into the world’s largest market.

  • One is the loneliest number

As breach reports continue to rise, companies are inspecting their current security organization. They are looking for ways to restructure or add resources so the breach burden does not rest squarely on the shoulders of a brave one or two employees.

  • Threat Intel Throughput

With the rise of Big Data analytics, companies have massive amounts of threat intelligence data at their fingertips. Access to quick intel around user anomalies and threat detection will change the way we approach security on a global scale.

In Stormy Seas… 

If you made it to the bottom of this blog post, the days of adding security on a whim, or when it’s convenient, or when you have resources are over.

Battling Breach Fatigue: In stormy seas, it's better to have an experienced captain than a big boat. Approach your security stance accordingly.

Security is far more expensive and risky to retrofit in a world where technology moves faster than a fleeting thought. Smart planning will save you valuable time, resources, and money. Working security measures into your current architecture will provide the added benefit of securing your data properly. In a world where many are breach fatigued, and companies are budget strapped, securing your data should not be left hanging in the balance.

In stormy seas, it’s better to have an experienced captain than a big boat.  Approach your security stance accordingly.

References

  1. Global IT Security Risks Survey. (2015). Retrieved December 17, 2015, from http://media.kaspersky.com/en/business-security/it-security-risks-survey-2015.pdf
  2. Moore, S. (2014, August 22). Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware. Retrieved December 17, 2015, from http://www.gartner.com/newsroom/id/2828722

Shannon Glass

Director of Information Security and Compliance | AfidenceIT

Comment