Enterprise organizations experienced an average of more than 9,100 security incidents over the past year, according to CSO’s 2016 Global State of Information Security Survey. And those are just the attacks or vulnerabilities they detected.
Clearly, the war on cybercrime is getting more complex, and risks are on the rise. Defending the enterprise requires a mix of traditional InfoSec practices along with an eye toward any number of new threats that are gaining traction.
We asked security experts about their enterprise security priorities for the year ahead, and three themes emerged.
A new calendar doesn’t mean a clean slate for security strategy. Many threats have endured for years and continue to pose challenges. That’s why experts cited longstanding challenges such as phishing or poor employee security practices as priorities for the year ahead.
“Phishing, SQL injection and reused passwords … in other words, the same top enterprise security priorities of last year, and the 10 years before that,” said Rob Graham (@ErrataRob) of Errata Security, a security consultancy.
Attacks that target individuals are the hardest to control, said Ed Featherston (@efeatherston), enterprise architect at Collaborative Consulting. “Almost every major breach in 2015 started with an employee inadvertently clicking on a [phishing] link that provided the hacker the initial entry into the environment,” he said. “Hackers make the emails more and more sophisticated, so that automatic filtering does not guarantee prevention of the phishing email from being delivered.”
The solution is also familiar: ongoing training and awareness.
“Education of the employees is critical, both to understand the risk and to maintain vigilance,” said Featherston. “This also can’t be a once and done, as it will fade from employee’s horizon if it’s not an ongoing process.”
“Cyber security education from the top down, including every employee within the organization, is essential,” said Scott Schober (@ScottBVS), CEO of BV Systems, a maker of wireless threat-detection tools. “Employees can make or break a company if they are not actively implementing proper security best practices.
“A company may spend tens of thousands of dollars securing their servers, backing up data, and running real-time threat analysis software, only to have a new employee innocently pick up a USB stick in the parking lot and naively plug it into the companies network,” said Schober. “This can quickly negate all the security initiatives that were put in place.
“The costs are high to train and test each employee,” he said, “but the costs of ignoring these basic safety tenants has become incalculable.”
Training should extend to all of your business partners and third-party vendors that have access to company and customer data or networks, Schober added.
Ron Woerner (@RonW123), director of cybersecurity studies at Bellevue University, agrees that employee education must be a top priority. “Many people don’t have enough knowledge, skills and abilities to properly security their infrastructure and data,” he said. “Let’s work together to build the security profession and develop the next generation of cyber workers.”
People are a priority, but processes and technology are equally important components of a comprehensive cybersecurity strategy. To that, data scientist Ronald van Loon (@Ronald_vanLoon) said the main priority of B2C companies in particular “is to securely store and protect personal information from clients.”
And software evangelist Arthur Hicken (@CodeCurmudgeon) emphasized the need for companies to move from a “test security in” mentality to a “build security in” mindset.
“Security groups cannot only focus on finding exploits, which is very expensive,” Hicken said. “Rather they should focus on [common software vulnerabilities] that will be exploited in the real world.”
All of these efforts require another longstanding priority: improving alignment between IT, security teams and the business. “Security resources need to be entrenched in organizations, not entrenched in a security organization within the organization,” said cyber security strategist Kyle Kennedy (@Kyle_F_Kennedy), CISO at CyberSN.com. Better alignment will help leadership teams articulate the value of security in business terms, not fear tactics, Kennedy said.
While age-old challenges such as phishing and employee training are more than enough to keep InfoSec teams busy in 2016, there are plenty of emerging threats that should be on their radar as well. For example, the rapid increase of intelligent, connected devices – aka the Internet of Things – is creating a shared sense of urgency among many security experts.
From an enterprise security perspective, Kennedy said, machine-to-machine attacks and “headless worms targeting headless devices” are a top priority.
Tech journalist Adrian Bridgwater (@ABridgwater) concurred. “Security priority number 1 (or at least top 10) is looking to the re-platforming of many Internet of Things layers such that we can securely provision for connectivity across the entire IT lifecycle,” Bridgwater said. “The standards just DO NOT exist as we stand today.”
New regulations are also on the horizon, likely requiring businesses to revisit their compliance policies.
“A key priority in 2016 for any European company, and non-European companies which store or process EU citizen personal data, is preparation for the EU General Data Protection Regulation (GDPR),” said Dave Whitelegg (@SecurityExpert), a UK-based cybersecurity expert. Whitelegg called GDPR “the biggest shakeup on how enterprises legally meet information security and individual privacy rights in history.”
“Even though the GDPR doesn’t come into force until 2018, give the major enterprises changes required together with the risk of large financial penalties if not done, 2016 should be a year to commence preparation the GDPR,” he said.
Another emerging priority involves automation – the development and deployment of machine learning and other advanced techniques to turn ever-increasing volumes of data into useful threat intelligence.
“The top enterprise security priority is to help organizations move beyond signatures for detecting threats,” said Greg Martin (@gregcmartin), CEO of Jask Labs, a cybersecurity startup. “We are getting crushed now that attackers are walking through the front door with stolen user credentials. Anomaly detection and AI-based threat detection is the future.”
Identity automation is another priority, according to Robert Siciliano (@RobertSiciliano), a security expert with BestCompanys.com. “Passwords may never go away, and that’s fine,” he said. “Two-factor authentication might seem to be the next best solution. But not having passwords for certain critical applications, and implementing other authentication methods such as biometric, Bluetooth proximity, device recognition or reputation, geolocation, and pictographs should be a priority.”
Prepare for the unexpected
A move toward automation will also lay the groundwork for more quickly identifying undisclosed or new types of threats – an important competency in a cyber ecosystem where unknown risks are potentially the most damaging.
“The reality is you will never be able to 100% prevent breaches from occurring,” said Featherston. “To mitigate that risk you need to be aware a breach is/has occurred as soon as possible to react and protect the data. Monitoring tools and staff to evaluate potential breaches needs to be a priority if you have data that is high risk.”
Advance warning of adversaries’ intentions is critical, said Bob Gourley (@BobGourley), a partner with security consultancy Cognitio and publisher of CTOvision.com.
“It is not enough to just say they will keep trying, we know that,” said Gourley. “But what we need to always ask ourselves is what new, creative, previously unseen methods will they use to get in. That is a key thing we security professionals can help each other assess.”
What’s your top cybersecurity priority for the year ahead? Add to the conversation in the comments section below.Posted by Rob O'Regan Posted on 25 Jan