Will recent high-profile cyber attacks spur stronger security and improved risk management? The consensus from our data breach survey indicates: Yes, reports Teri Robinson.
There have to be real consequences for a data breach, says Randy Marchany, CSO at Virginia Tech. “If something happens on my watch, I should lose my job.” He notes that most of the high-profile breaches of late haven't had any resounding consequences. “And, without consequences, there won't be any real change.”
Executives at Target Corp. must have been thinking along the same lines. Just a day after Marchany made that statement, Target CIO Beth Jacob resigned her post and the company announced a massive restructuring of its information security and compliance division that included an external search for a CIO, CISO and chief compliance officer, with the latter two holding vice president-level positions and reporting to the vice president of corporate security.
Published reports noted that Jacob's resignation letter didn't specifically mention the high-profile breach – ramifications of which are still being felt by the company and the retail industry on whole. But her departure could signal the beginning of an accountability heretofore not seen in the wake of a breach, and most certainly is an important step in restoring public trust and polishing Target's reputation.
In fact, more often than not, it's the latter – reputation – that compels companies to fortify their information assets against a breach. In the seventh annual SC Magazine “Guarding against a data breach” survey, 74 percent of respondents named the fear of negative publicity as driving their efforts. And nine out of 10 of the 916 respondents surveyed in the U.S. and U.K. claimed their companies are taking steps to protect electronic corporate data.
Survey participants noted that they were considering a number of data security solutions, with a majority focusing on network monitoring. Similar to last year's survey results, about two-thirds are using email management/content filtering and/or network monitoring in their security schemes. But this year, a greater number of organizations (39 percent as opposed to last year's 29 percent) say they were thinking of investing in two-factor authentication and data leakage prevention services. And, more respondents indicated they had turned to file encryption, vulnerability management, web application security, mobile monitoring solutions and SIEM as well.
Noting that the survey numbers show “the most investment in perimeter security,” Tina Stewart, VP of marketing at San Jose, Calif.-based Vormetric, points out that “traditional perimeter security is not going to work” against the current crop of emerging threats.
Even with reputations at stake and despite investments in technology solutions, many organizations are simply not doing enough to guard their data against breach. Some security professionals see a real disconnect between what organizations believe they're doing and reality. Pointing to recent high-profile breaches, Dennis Brixius, VP and CSO, The McGraw-Hill Companies in New York, says, “There are gaps in perception and reality. I think they have plans [to protect corporate data against breach but] they really don't understand what the cyber criminal is all about.”
Many companies also rely too heavily on tech purchases to address their security woes, according to Rick Doten, CISO at DMI, a provider of mobile solutions and services. Too many times companies are led by vendors and swayed by cool technology without developing the processes necessary to safeguard their businesses, he says. “They buy boxes and it makes them feel like they're doing something.”
But the reality, says consultant Tim Mather, is “they're treading water fast and sinking.”
Indeed, 15 percent of survey respondents admitted that their company has suffered a data breach, loss or data theft in the past year.
“That's why nine in 10 are taking steps to protect corporate data,” says Andrew Kicklighter, director of product marketing at Vormetric. “That's a one-in-seven chance you'll suffer a data breach. As a result, people are taking notice.”
Both Brixius and Doten advocate a risk-based approach to securing corporate data. That means companies must first understand the information that they have and the regulations that govern it before prioritizing it. Then they need to ask: “What do I need to do to protect data,” says Doten. A thorough risk assessment should inform an organization's security strategy.
But to protect data you have to find it, says Virginia Tech's Marchany. And experts agree that security divisions are having a hard time doing that. A confluence of conditions – including the wider variety and greater sophistication of attacks, the onslaught of Big Data and the relentlessness of cyber criminals – have complicated security efforts and likely obscured information ripe for exploitation.
Attacks have grown in sophistication and come from all directions. Of those suffering data exposure and loss, over half say it occurred through employees, 26 percent via end-user devices and 20 percent from servers. The type of information compromised varies, with particular type cited by more than 15 percent.
“There's so much data, and trying to make sense of all of it is impossible,” says Doten.
Instead, today's enterprise needs to narrow its focus to what really matters. Organizations are not taking time to search for sensitive data, says Marchany, something that the bad guys seem to do quite well.
But, not all breaches and network disruptions come at the hands of cyber criminals. Some have more innocent origins – an employee inadvertently revealing sensitive information in a customer account or, perhaps, flooding systems with excess traffic – for example, Ellen DeGeneres's Oscar selfie, which crashed Twitter in a matter of minutes.
And, natural causes often wreak the most havoc. “Mother nature is so much more of a risk,” says Doten.
Regardless of a breach's origin, in all cases it pays to prioritize the information that is most likely to be attacked and yield greater damage, says Doten. A risk-based model, though, can help companies ferret out and identify the data most at risk and the types of events, regardless of their origin, likely to do the most damage. This way security teams can build out their strategy accordingly. “You've got to have this question up front and then ask and ask it again until you get a better answer: What's relevant to you?” says Doten.
To avoid real threats, Mather also suggested that organizations develop security strategies around the lifecycle of data, protecting and managing it – including controlling who has access to it and whether it meets regulatory requirements – from cradle to grave.
Privileged user access control that let privileged users access and manage systems without putting protected data at risk will help companies fortify their security infrastructures and “defend data where it lives,” says Vormetric's Stewart.
But don't expect security tigers to change their stripes overnight, primarily because the process is messy…and costly. Mather, though, says that's precisely what they should do. Many of those tools purchased over years and “that people are comfortable with are no longer effective,” he notes. “Just rip it off, be done with it. A slow bleed has turned into a torrent.”
The trend of throwing budget dollars at products to solve security woes will likely persist in some organizations as long as company executives view those purchases as the tangible evidence that IT security is taking steps to protect corporate data.
And executives have appreciated the positive impact of those buys on their financial ledgers. “Hardware depreciates over time,” says Doten.
For many companies, though, it seems that the tide might just well be turning. Whatever yardstick executives have used in the past to gauge the effectiveness of their companies' security programs has faded into the background as breaches, DDoS attacks and other disruptions have gained both steam and notoriety.
Alarmed by the steady stream of attacks, those occupying the C-suite are more closely scrutinizing their security programs and giving security professionals a voice in the boardroom. “Executives are more interested because they don't want to be another headline,” says Marchany.
They also “don't want their supply chain to go down,” says Doten, so they're paying more attention to security. That might account for why a little less than two-thirds of those surveyed in the U.S. also feel their company's IT security departments now have the power to improve overall corporate security strategy to safeguard corporate data.
And, while budgets have remained relatively flat, a majority of those surveyed say their IT security departments have been able to secure additional budget dollars and resources to counter potential negative impact on company reputation and to comply with a slew of regulatory mandates.
The differences might be how and who spends those dollars. As security moves away from product grab and upper management grants security pros their proper status in the organizational chart, experts expect to see budgets slanted toward a more holistic, risk-based approach.
Already it seems that executive influence is being felt as 43 percent of those surveyed say they or their executives are concerned about supply chain vulnerabilities in their own products or products they rely upon. As security has become a priority across the board, 43 percent have implemented security policies to help deal with those vulnerabilities, enacting contract requirements (35 percent), vetting processes (27 percent) and adding security controls (26 percent) for this problem.
If a vendor can't produce the appropriate certifications, an organization should put it in their contract that they will audit them.
Despite the strides being made, many organizations have a long way to go. “Some companies still look at security like a commodity,” says Doten. “You don't choose a doctor because they have coupons. They listen to you and are as invested in your health as you are.” Those same traits should apply to security professionals.
At first blush, it seems surprising that two-thirds of survey respondents do not plan on hiring a specialized security professional to aid in their data security efforts, since that runs counter to what Doten and other security experts believe organizations should be doing. But considering that eight out of 10 said they already had a security professional on board, only about 20 percent of those surveyed haven't brought in a security pro yet.
“Hopefully, this will get more popular and more companies will have this kind of consulting, at least from time to time,” says Borislav Petrov, senior technical support engineer at Axway. “For enterprise-sized companies, it is not possible to have one, or they are not serious to count on IT staff alone.”
Others note that despite making clear moves toward shoring up security resources, as long as there are no consequences in the wake of a breach or the consequences are ephemeral at best – a short-lived dip in stock prices, for example – security simply will never be the priority it should be. “Empower people to fix the problem, give them real authority to do something and then give them responsibility. And hold them accountable,” says Marchany.
That's another reason the Target reorganization has significance. Not only did the CIO step down, the company also elevated its CISO and CCO positions to the vice president level, reporting to the vice president of corporate security.
However, the number of IT personnel employed to handle data loss isn't expected to vary much this year over last. About two-thirds of those responding to SC Magazine's data breach survey say that number will remain the same, while only three in 10 expect the number to increase, a bump up from last year's results. Less than half of respondents said that they had between one to five IT personnel handling data loss.
But quality, not quantity is high up on the list of CISO priorities when it comes to IT, with Brixius and Doten both noting that companies need IT personnel with security experience.
IT continues to undergo a host of changes as the cloud assumes a prominent position in most corporations and there is less for traditional IT to build out. “They're taking on more of a consultant role,” says Doten.
As respondents to the survey plan to handle data exposure, breaches and loss events, 86 percent are involving the IT department, 75 percent the information security department (up significantly from last year), 57 percent involve the legal department and 45 percent involve the CEO involved (also up significantly from last year).
What's clear is that corporations, even with healthy security organizations and an abundance of IT personnel, can't go it alone. They need guidance and support from regulators, industry groups, government agencies and their peers. When U.S. survey participants were asked what was driving their security efforts, at 64 percent, compliance came in a close second behind loss of reputation. That's not surprising, since there are a bevy of state and federal laws and mandates with which corporations must comply or face heavy penalties.
While survey respondents named SOX (18 percent), state data breach notification laws, (17 percent), e-discovery legislation (16 percent) and the European Union Data Protection Directive (16 percent) as among the least helpful mandates they must follow, ISO 27001 (44 percent) and PCI (37 percent) were cited most often as mandates that have helped elevate the need to implement IT security safeguards. That marks a significant increase over last year. About half of the companies surveyed say that ISO 27001 is a priority, but PCI as a priority has increased from last year. And over half say ISO 27001 has been most helpful in detailing implementation safeguards. However, the number citing PCI has grown over last year. “Actually, ISO is used by users even if they don't know it – meaning it is easy to implement and more easy to understand,” says Petrov.
With 47 state data breach laws with which to comply – each with different timeframes for disclosure, applied to different types of information, and some that will let companies defer notification under certain circumstances – an over-arching national law, much like the European model, “is a no brainer,” says Doten.
In the interim, corporations must find their own way, often opting to use one state law or another as a guidepost. And it is within those walls that companies must do the serious work of training their employees at all levels – to raise awareness and prevent future breach. More than eight in 10 of the survey participants say their companies have strengthened security awareness and are training employees in an effort to safeguard corporate data. Several methods were cited as ways to strengthen security awareness. Among those cited most often are email updates (70 percent), periodic online training (60 percent), regular training (58 percent) and newsletters (50 percent).
And there could be a clear business pay off – some companies can use their bolstered security efforts to differentiate themselves from competitors, as a little over a third of those surveyed say they do.
Invitations were sent to 189,650 security professionals – who subscribe to SC Magazine, and others – across the U.S. and U.K. A total of 916 respondents completed the survey, compiled by CA Walker. All surveys were completed between Jan. 21 and Feb. 6, 2014. The resultant data was not weighted, and the margin of error is +/–3.2 percent at the 95 percent confidence level.