With a slew of bad actors dispatching almost daily advanced attacks, organizations of all sizes must be prepared. Many respondents to this year's "Guarding Against a Data Breach" survey say they are. Illena Armstrong reports.
Even as advanced persistent threats (APTs) and other attacks strike companies and government agencies at an unparalleled rate, information security professionals remain bullish about forging ahead with their data protection and risk management efforts this year. In fact, more IT security leaders than ever before think their companies are making greater strides in safeguarding critical corporate and customer data.
According to this year's SC Magazine "Guarding Against a Data Breach" survey, which for the first in its six-year history sought input from professionals in the U.K. and Australia, 91 percent of the 427 U.S. respondents say their companies are taking proper steps to protect critical data, compared to 87 percent in 2012 and 2011. Meanwhile, of the 104 respondents from the U.K. and Australia, 83 percent think they are moving in the right direction.
However, the reality may be a little different from these more optimistic views. Just in the last month, it was revealed that sly and practiced hackers, likely from China, pervaded The New York Times computer networks over four months to try to steal information related to a story the newspaper wrote late last year about the Chinese prime minister's relatives – and the riches they obtained. Enlisting several techniques to hide their tracks, the criminals gained access to employee computers and stole reporters' passwords, probably using spear phishing methods to install backdoors. So far, there is no evidence that any files, customer information or other data was affected, according to newspaper officials.
The incursions didn't stop there. Also recently hit were The Washington Post, The Wall Street Journal, Twitter and the U.S. Department of Energy. And all were reportedly battered by similar or the very same savvy cyber assailants employing what are fast-becoming preferred APT attacks that allow them to infiltrate networks and then linger for long periods behind a sea of obfuscation to observe network communications, amass critical information and more.
“Generally, there may be a perception that companies are doing a better job by applying security products [or other tactics], but the reality is that security breaches keep escalating each year,” says Ron Baklarz, CISO and export control compliance officer with the National Railroad Passenger Corp. (AMTRAK). “This will only worsen as nation- and state-sponsored attacks on U.S. critical infrastructures increase, as well.”
Likely because of this escalation, more respondents to this year's data breach survey compared to previous years agree that the threat of a breach, loss or exposure is greatly influencing their organization's security initiatives. Some 85 percent noted this as a major driver, compared to 80 percent in 2012. Similar to U.S. responses last year, 76 percent of U.K. and Australia IT security pros say attacks are a major influence on initiatives for this year's survey, which was sponsored by Vormetric and conducted in partnership with CA Walker.
“As time goes on, more companies understand that it's better to be proactive and assess and deal with the security of their data – through frameworks, standards and regulations, like ISO 27002, PCI or HIPAA – rather than wait for a security incident or a failing security audit to start making progress,” says Brad Johnson, vice president at long-standing consultancy SystemExperts, based in Sudbury, Mass.
This is especially true given how much data actually is being generated every day and how much organizations have come to rely on it to run their businesses, says Tina Stewart, vice president of marketing at Vormetric, a San Jose, Calif.-based provider of enterprise encryption and key management. With reliance on data assets growing exponentially in recent years, protection of it is paramount.
“Recently I read that every day, we create 2.5 quintillion bytes of data – so much that 90 percent of the data in the world today has been created in the last two years alone,” Stewart says. “This data needs to be protected, and there is a cost to that protection.”
Despite the costs, though, budgets largely are remaining flat, with occasional spikes here and there, says Stephen Fridakis, CISO of UN FAO, the Rome-based food and agriculture organization of the United Nations. While a host of external factors may prompt some increases in shares of IT funding to be allocated to cyber security – with motives often going well beyond the threat of a breach – most budgets remain fixed.
“By far the most significant factor affecting our investment strategy is regulations," he says. "Similarly, the second greatest influence is client requirements. Visa, for instance, requires certain cyber security hardware, software, policies and routine audits to engage in business relationships. Additional factors are results of current audits [or] response to media attention or a direct compromise.”
Of the 427 U.S. respondents to the survey, 70 percent say IT security departments and their leaders have the power, executive and business support, budget, and resources to continually improve overall corporate IT security strategies – compared to only 63 percent last year. For U.K. and Australia respondents, though, the number is much lower at only 55 percent.
These numbers reflect the reality, says Ian Appleby, information security manager with Australia-based Endeavour Energy. “Budgets still remain flat, and all security projects are justified on a business-risk basis," he says. "Having a budget for new tools is good, but not fully effective without the budget for staffing to operate and manage the security environment."
And while some information security funds are seeing modest boosts, Fridakis adds that “there is concern that these budgets may not be able to sustain, in the long run, the increased capabilities that we establish today.”
Just how much current and prospective “increased capabilities” are impacted by questions of budgetary need is up for debate, but some experts – even now – have seen security worries plaguing the adoption of new technologies that could support the business.
“I hear security concerns used as justification to delay system modernization efforts or other changes that might possibly create new exposures,” says Becky Bace, chief strategist at the Center for Forensics, Information Technology and Security (CFITS) at the University of South Alabama in Mobile. But, what information security leaders must be diligent about explaining to their bosses is that “there's virtue associated with beefing up security testing and other mechanisms in order to fix problems before systems are deployed," she says.
Because the C-level executives and boards of directors often see IT security as a cost center, misunderstand technology in general and fail to see how harmful data breaches can be to bottom lines and the brand, it's hugely important that CSOs inform and educate them on threats and risks to their businesses.
“They must be able to place security into a business-relevant context and balance the needs to protect the organization versus the needs to run the business operations,” says Phil Ferraro, CISO of DRS Integrated Defenses Systems and Services.
The goal is help business leaders “understand that cyber security is not an IT function,” but rather “a key business enabler,” he adds.
Yet, even though the potential adoption or deployments of new business-enabling technologies and services might have some influence on continually shaping an organization's information security plans, their impact should be as nominal as chatter about the next big attack or the soon-to-be released regulatory requirement. Instead, “appropriate risk management” that accounts for what the critical assets are, how they flow, and in what ways they contribute to the underpinnings of the business must be the main factors in updating security strategies, says Fridakis.
“CISOs need to make sure that we are not swayed by media hype about a technology or a vendor or a perception for an attack. We need to work smarter and concentrate on the most material work,” he says. “Remaining faithful to a risk profile is essential.”
So, when talk of ‘bring your own device' (BYOD) and mobile security crops up, frantic worries about safeguarding cloud environments are voiced, or discussions around third-party applications heat up, security pros have to refine their approaches, but do so through a living risk management plan that enables organizations to be much more adaptable and proactive, rather than reactionary.
“Many companies don't seem to have clear policies to clarify stances on technology like cloud and mobile. The implications of technology need to be considered early and requirements need to be proactively defined and communicated,” says Jeff Brown, operations leader at General Electric. “Right now, it is very reactive. Security is often called in well after the project direction has been set and deployment under way.”
Accounting for gaps
Comparable to previous years, 13 percent of U.S. respondents say their company has suffered a loss, theft or breach of customer/client data. For the U.K. and Australia, 18 percent say they have.
So although more respondents overall say they're taking steps to protect critical data, it doesn't necessarily mean they're actually doing a better job. “Though I'm certain that more are taking steps to protect data, I'm not as sanguine that those steps are keeping up with the threat vectors,” say Bace.
To be sure, the threats are abundant. As well, the attacks themselves are more complex and frequently persistent.
“There is no strategy that will be effective against all types of attacks, but to know there are a variety of types is to build effective ways to monitor for them,” says Jennifer Bayuk, a former CSO and current principal at consultancy Jennifer Bayuk, LLC, based in the greater New York City area.
This is where “a well-rounded defensive strategy” that considers “threats from all vectors” comes into play, adds Stephen Scharf, CISO of Experian. “With proper attention to log aggregation and event correlation, an organization can help increase the likelihood they will discover a security breach quickly and be able to address the threat appropriately. Time is critical, and the sooner malicious activity is detected, the greater the change it can be resolved before data is exfiltrated.”
Of those who experienced a breach, loss or theft of data in the U.S., the information was lost, stolen or exposed through a variety of methods, including web application attack (29 percent), malicious insider (20 percent), targeted attack, laptop loss and theft, or email exposure (all 18 percent). Malicious insiders were higher for U.K. and Australia respondents at 42 percent, as were targeted attacks at 26 percent.
As well, the information security-related problems at the top of lists that caused the greatest financial loss to U.S. companies included data loss (18 percent), data theft (14 percent), vulnerabilities/bugs (11 percent), web application attacks (11 percent) and phishing (9 percent). These seemed to match up with responses from the U.K. and Australia except when it came to insider threats once again, with this problem moving nearer the top, at 21 percent compared to only 7 percent in the U.S.
Targeted attacks, like those that hit some organizations last month, are more frequently the cause of breaches and so are becoming the norm, agree experts. As a result, it's crucial that organizations understand how they happen and when.
“Attacks, at least the sophisticated ones, aren't a single-stage process,” says Charles Kolodgy, analyst with IDC, a provider of market intelligence and advisory services with corporate headquarters in Framingham, Mass. "They generally involve multiple steps."
First, there may be a targeted spear phishing email that entices an unsuspecting user to visit a website that infects them with custom malware that includes a backdoor. From there, attackers are inside the network where they can search out data and start removing it. And, though understanding if any anomalous behavior is happening on the network is critical, so too is preventing the download of the custom malware in the first place. Companies, as a result, are taking multiple steps to deal with these kinds of attacks, says Kolodgy, including bolstering information security awareness training to help staff spot phishing emails. As well, organizations are looking to deploy “better network-based advanced malware detection” to catch malicious payloads.
“At the endpoint, companies are looking at whitelisting and application control to prevent unknown executables from running," Kolodgy says. "They are using network forensics and improved SIEM [security information and event management] to see communications from the network to a location that is suspicious,” he adds. “One solution isn't going to do it.”
Vormetric's Stewart agrees, noting that traditional data protection models that enlisted network-focused security methods, using solutions such as firewalls, intrusion detection systems and more are no longer sufficient on their own.
“Any data-centric approach must incorporate encryption, key management, strong access controls, and file monitoring to protect data in physical data centers, virtual and public clouds, and provide the requisite level of security,” she says. “Today, it is table stakes to ‘firewall the data'. By implementing a layered approach that includes these critical elements, organizations can improve their security posture more effectively and efficiently than by focusing exclusively on traditional network-centric security methods.”
Unsurprisingly, respondents across all the regions queried through this year's SC Magazine survey already have deployed such solutions as email management and content filtering, network monitoring solutions, database security, and file and email encryption. As well, to a lesser degree, some have implemented vulnerability management solutions and web application security. Regarding plans for future deployments this year, many of these solutions make the lists for both respondents from the U.S. and U.K./Australia, with other technologies, such as mobile security, two-factor authentication, cloud security services and data loss prevention getting some attention.
Consultant Bayuk adds that some organizations that often find themselves the targets of APTs, such as government contractors or public agencies, are enlisting attack “kill chain monitoring” techniques. In undertaking these more advanced monitoring methods, organizations avoid confusing a series of malicious activities as stand-alone happenings, which enable them to suss out the patterns behind attacks and therefore better prepare for them in future. “That's the state of the art now – knowing enough about the individual steps of attacks.”
Working with others
Information security departments also are becoming more adept at making connect data protection efforts with other departments beyond IT, such as human resources, public relations, legal, boards of directors and others, Bayuk says.
Indeed, compared to the results of past data breach surveys, this year a higher number of respondents across the regions queried say they are meeting with various departments more frequently than in previous years – usually monthly or quarterly. As well, business continuity and recovery plans are reviewed much more frequently than in the past.
“Security is not a department. It's an architecture,” says Bayuk. “These links are part of your security program – an evolving part of your ability to respond. It's observe, orient, decide, act. It's a living thing.”
This is especially true in bolstering an organization's business continuity and response efforts in times of both IT-based attacks and physical disruptions, such as those experienced by many companies in New York, New Jersey and other northeastern states during Hurricane Sandy.
Dennis Brixius, vice president of risk management and CSO with McGraw-Hill, the New York-based global financial information and education company, knows all too well the need to ensure that organizations stay up and running. Mobile security issues became much more critical when Sandy hit, and his company lost a major data center in the heart of Manhattan, which resulted in 4,500 employees going mobile. While the company slowly is moving back to the data center, most of these staff have been working from home and the road since November, he says.
Naturally for him, security is not about just putting together a security architecture or understanding all the nuances of a risk management plan. With cyber criminals focused on attacking the key business resource of today – data, understanding where critical information is, how it flows and who is accessing it no matter their location or the technology or service they are using is vital.
“We actually exist because of business,” Brixius says. “So how do we get to the point to have an effective risk mitigation plan and communicate that to the board because they're becoming more concerned about security overall? Let's identify the data. Let's classify the data. Let's put retention policies around that data and then really think about who needs access to this data.”
Pondering the future
This year's survey revealed that more CISOs actually are recognizing and espousing their stake in the business. And that trend is important since “technical people don't make business decisions,” says Rick Doten, CISO of DMI, a Bethesda, Md.-based provider of mobile solutions and services for smart devices.
An embrace of corporate needs by security pros also indicates that there is more understanding of “business risks from the departments, what data is important, what applications are critical, what behaviors are risky,” and what controls ultimately must be put in place, he adds, noting that “bringing the business into the process is critical.”
And with hacktivists, organized criminals, espionage actors, state-sponsored attackers and still others overrunning a wide variety of organizations' networks, making security a natural part of everyday activities has never been more central to an enterprise's success. This is why “strong risk management cultures that take systematic approaches to measuring risk” and then apply the appropriate resources to address the greatest dangers among them can remain viable even in the toughest times, says Rob Goldberg, vice president of audit services for information technology and eCommerce at Wal-Mart.
“The economy is an interconnected web with many interdependencies,” says Goldberg. “An attack on one or multiple pieces of that web can have widespread impact[s] on a country's welfare. Organizations that do not maintain diligence in this area make themselves the weakest link in the chain and put every other part of the web at risk.”
About the survey: Email invitations to take a web survey were sent to approximately 62,000 security professionals who subscribe to SC Magazine across the United States, United Kingdom and Australia. A total of 531 respondents completed the survey. All surveys were completed between Nov. 15, 2012 and Jan. 6, 2013. The resultant data was not weighted, and the margin of error is +/–4.2% at the 95% confidence level.
Survey sponsored by: