Is there hype and hysteria around security breaches? Is this going to give rise to a cyber-industrial complex? These questions were recently posed to me by a client at a large insurance company.
Well, let’s look at the current situation. Security breaches are growing in scope and visibility due to the increasing automation and interconnected systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, malicious actor to perpetrate these crimes.
Cyber-security preparedness in the business community, while becoming more visible in recent years, is still far behind the curve when compared to those who wish to commit cybercrime. There is still a tremendous disconnect with employees and general public regarding the current security threats and what impacts their behavior have in propagating or thwarting a breach.
People should be concerned about security breaches since personal data can be used to damage or destroy an individual’s financial and even personal life. An example of this is the OPM breach were millions of pages of security forms were stolen that contained intimate details of individuals. These can and will be used for leverage against those federal employees in sensitive positions within the government by malicious actors.
Are cybersecurity companies using these incidents as a means to feed the hysteria behind breaches? Of course they are. You see this in any industry when a company sells a product or service that can remediate concerns faced by that industry. However, security is still a comparatively low priority at the executive level within corporations. This is changing, but it remains bailiwick of technologists who have minimal say in enterprise decision making.
Are we seeing the beginning of the “Cyber-Industrial Complex”? Well, this was already the case within the Federal government space. Billions have been spent on cybersecurity initiatives but as we have seen that hasn’t helped many government departments who lack even basic security practices. Standard security programs and practices are not expensive to implement but cybersecurity firms are ramping up all sorts of point security solutions that are quite expensive to implement and maintain. Simple, standard security programs do not generate huge revenues for security companies or consultancies.
There are some basic components to an effective security program that do not involve large technology expenditures. One is to keep your infrastructure (servers, workstations, networking gear) up to date (software patches, hardware refreshes), physical security around critical components, endpoint protection (anti-virus / anti-malware) and user training. Most security breaches gain a toe-hold due an error by the user or malicious user intent. For example, the Target breach was propagated by phishing emails.
One of the most effective security practices that employees can participate in are to be cautious when responding to email and browsing the Web. Employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection. This is best covered in an effective security education program.
All of these basic tips contribute to a “Defense-in-Depth” approach or layered to enterprise security.
Cyber Security Liability Insurance is gaining in popularity and could be a good investment for a business. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach.
Just don’t get me started about the Internet of Things (IoT). Talk about security disaster.
Shoot me your opinion in the comment section below. I’d love to hear your thoughts on this issue.
Steve Poppe says
MIke, thanks for a good article. I see no evidence of hysteria but I do see, at last, increasing awareness of the risk and the need for better security. The lesson of OPM, to me, is that leadership is the key thing that is lacking. There is certainly no shortage of frameworks — for controls, for governance, for risk management. CEOs and government agency directors are beginning to lose their jobs because of breaches. That is unfortunate but good – there will be no change without accountability.
As to the increasing myriad of security point solutions, two points. First, executives need to learn how to evaluate security investments (equipment, people, processes …) as real business cases, with quantified benefits. Second, I see the beginnings of a convergence so that integrated devices like SIEMs can usefully consume threat intelligence from defender communities like the ISACs. Near-real-time sharing of threat indicators by communities can be a powerful strategy to tilt the asymmetry of the threats back to the defenders’ advantage.
Mike Meikle says
Steve,
I agreed wholeheartedly with your points. Leadership and accountability is really lacking. It’s not just CIO/CISO issues, it the big three CEO, CFO and COO who seem to wash their hands of ensuring their environments are maintained appropriately. IT and security leadership, even at the “C” level are rarely on the same level of authority as the others in the C-suite. This works against managing the risks that are arrayed against enterprise.
As for buying truckloads of security tech, you are right execs need to do the cost-benefit analysis, feasibility studies etc. to make sure these solutions will work in the enterprise.
Thank you for your comment sir I appreciate it.