Guest post by Mark Lobel
If you want to protect your information assets in today’s interconnected business environment, you need to know your enemy. What are they after, how do they aim to get it and how are you going to stop them?
New hacker strategies, the Bring Your Own Device trend, and Cloud Computing are all combining to expose companies to unprecedented information security risks. Yet, companies are acting as if nothing has changed. Many organizations have yet to deploy technologies that can proactively illuminate today’s threats to the ecosystem, according to “The Global State of Information Security® Survey (GSISS) 2014,” which surveyed more than 9,600 executives including CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security in partnership with CIO and CSO magazines.
The survey finds that security incidents have increased 25% over last year. Not surprisingly, financial costs of attacks are also up by 18%. In fact, the percentage of respondents that report losses of $10 million or more has increased 51% since 2011.
Hackers Exploiting High-Profile Executives
Hackers are a big headache. 32% of those business and technology executives surveyed cite hackers as a source of security incidents. And, hackers are playing dirtier and differently than before. For example, have you ever gotten an email from your child’s school? If you’re like most parents, your first instinct is to open it immediately. Hackers are counting on it.
Hackers used to focus solely on cracking systems. Now, they are exploiting high-profile and/or important executives with information gathered over social networks. Erecting a firewall and employing an intrusion detection system isn’t enough. Corporations need to deploy more sophisticated threat management and modeling systems, for example, but many of them don’t.
Threats Emanating from Inside
And, businesses are failing to adapt to other threats as well. Most respondents attribute security incidents to everyday insiders like current employees (31%) and former employees (27%). Some of them mean to do harm. Others make innocent mistakes. Regardless, given the predominance of employee risks, it’s surprising that many organizations are not prepared to handle common inside threats. A separate survey co-sponsored by PwC, the 2013 US State of Cybercrime Survey, finds that one-third of US respondents do not have an incident response plan for events emanating from the inside.
The GSISS survey finds that the BYOD trend is contributing to cybersecurity risk generated from the inside. But, mobile security policies lag the proliferation of smartphones and tablets used by employees. In fact, only 42% of executives say they have a mobile security strategy in place and fewer (39%) say their organizations use mobile device management (MDM) software.
In addition, Cloud Computing is becoming commonplace in the corporate ecosystem with 47% of respondents using some form of cloud, but cloud governance is far less common. Among respondents who use cloud services, only 18% report having in place policies that govern the use of cloud. Cloud in the hands of employees can jeopardize trade secrets and open corporations up to legal liability. For example, consider developers inadvertently uploading proprietary code to the cloud or business units unknowingly breaking privacy agreements with customers.
What Exactly Does an Information Security Leader Look Like?
The good news is that budgets are rising. Respondents report that security budgets average $4.3 million this year, a 51% gain over 2012. The bad news is it’s still not enough, according to the survey. Insufficient capital is cited as the greatest obstacle to improving information security directly along side “lack of an actionable vision or understanding of how future business needs impact information security.”
So, what does it take to lead in the area of information security? Below is the criteria needed for a leader, in our opinion.
- Employ a chief information security officer or equivalent who reports to top leadership: the CEO, CFO, COO, CRO or legal counsel
- Have an overall information security strategy
- Have measured and reviewed the effectiveness of security measures within the last 12 months
- Understand exactly what type of security events occurred in the past year
Unfortunately, the GSISS survey found only 17% of respondents qualify as leaders. The traditional reactive approach to information security, which typically relegates security to an IT challenge, remains commonplace, but it’s no longer effective. Today’s new world of security risks demands that organizations treat information security threats as enterprise risk-management issues that can critically threaten business objectives. That means information security needs to move up the list of priorities for the CEO as well as the Board.
As corporations evolve their business strategies, they need to modernize their information security practices to keep pace with the seismic shifts in behavior of hackers, employees and business units. Consider the theft of trade secrets, brand erosion, litigation, etc. Shareholder value is on the line. It’s time to cultivate corporate cultures where security is embedded in the operation of the business.
Image shared by Crazy Ivory