Preparing for the new norm: 2013 Guarding against a data breach survey

“CISOs need to make sure that we are not swayed by media hype about a technology or a vendor or a perception for an attack. We need to work smarter and concentrate on the most material work,” he says. “Remaining faithful to a risk profile is essential.”

So, when talk of ‘bring your own device' (BYOD) and mobile security crops up, frantic worries about safeguarding cloud environments are voiced, or discussions around third-party applications heat up, security pros have to refine their approaches, but do so through a living risk management plan that enables organizations to be much more adaptable and proactive, rather than reactionary.

“Many companies don't seem to have clear policies to clarify stances on technology like cloud and mobile. The implications of technology need to be considered early and requirements need to be proactively defined and communicated,” says Jeff Brown, operations leader at General Electric. “Right now, it is very reactive. Security is often called in well after the project direction has been set and deployment under way.”

Accounting for gaps

Comparable to previous years, 13 percent of U.S. respondents say their company has suffered a loss, theft or breach of customer/client data. For the U.K. and Australia, 18 percent say they have.

So although more respondents overall say they're taking steps to protect critical data, it doesn't necessarily mean they're actually doing a better job. “Though I'm certain that more are taking steps to protect data, I'm not as sanguine that those steps are keeping up with the threat vectors,” say Bace.

To be sure, the threats are abundant. As well, the attacks themselves are more complex and frequently persistent.

“There is no strategy that will be effective against all types of attacks, but to know there are a variety of types is to build effective ways to monitor for them,” says Jennifer Bayuk, a former CSO and current principal at consultancy Jennifer Bayuk, LLC, based in the greater New York City area.

This is where “a well-rounded defensive strategy” that considers “threats from all vectors” comes into play, adds Stephen Scharf, CISO of Experian. “With proper attention to log aggregation and event correlation, an organization can help increase the likelihood they will discover a security breach quickly and be able to address the threat appropriately. Time is critical, and the sooner malicious activity is detected, the greater the change it can be resolved before data is exfiltrated.”

Of those who experienced a breach, loss or theft of data in the U.S., the information was lost, stolen or exposed through a variety of methods, including web application attack (29 percent), malicious insider (20 percent), targeted attack, laptop loss and theft, or email exposure (all 18 percent). Malicious insiders were higher for U.K. and Australia respondents at 42 percent, as were targeted attacks at 26 percent.

As well, the information security-related problems at the top of lists that caused the greatest financial loss to U.S. companies included data loss (18 percent), data theft (14 percent), vulnerabilities/bugs (11 percent), web application attacks (11 percent) and phishing (9 percent). These seemed to match up with responses from the U.K. and Australia except when it came to insider threats once again, with this problem moving nearer the top, at 21 percent compared to only 7 percent in the U.S.