Enterprises are stepping up their security game
9 October 2015 | 0
If all you read are the headlines, and there are too many, you could be forgiven for thinking enterprises are losing the never-ending battle to secure their networks.
But a new survey has found that enterprises are doing more to bolster their security defences. They are increasing their information security spending, collaborating more on threat intelligence efforts, and turning to cyber security insurance policies in larger numbers, according to a global security survey released today.
The most recent Global State of Information Security Survey, based on responses from 10,000 IT and security decision-makers in 127 nations, produced by PwC US in conjunction with CIO magazine and CSO also reported that their information security spending is up from last year, while financial losses from cyberattacks has decreased from $2.7 million (€2.38 million) in 2014 to $2.5 million (€2.2 million) this year.
The survey also found that enterprises are improving in their ability to detect breaches that are underway. In fact, enterprises reported a 38% increase in detected incidents, this year over last year. They are also seeing more intellectual property theft, which jumped 56% over the previous year. Another interesting finding: while both current and previous employees constituted the bulk of attacks aimed at these enterprises, there have been a noticeable surge in breaches attributed to current and former partners and suppliers. Data breaches attributed to them are up to 59% this year, from 46% in 2014.
Although it was nearly a decade in the making, the enterprise move to cloud platforms is creating tremendous change in how enterprises use, manage, and protect their applications and data. The research firm IDC expects public cloud spending alone to hit $70 billion (€62 billion) this year.
“We are looking at a completely new paradigm for security. When you add always on, always connected and couple all of that with the fact that we no longer are keeping data in our own premises. It completely changes how we have to do security,” says Tyler Shields, a security analyst at Forrester Research.
Also with 69% of respondents using cloud-based security services, the cloud has matured, without a doubt, as an established delivery method of security controls and services: real-time monitoring and analytics (56%), authentication (55%), identity and access management (48%), threat intelligence (47%), and end-point protection (44%).
“The only way to effectively perform security in this new environment is to do it at cloud scale. That means you have to actually be able to capture data, analyse data, analyse security related metadata and data, and then make decisions on based on it and enforce your security controls; because to do anything less means that they will never be able to keep up with the pace of the movement of the data,” says Shields.
The increase in cyberattacks, especially from nation states targeting critical infrastructure, government agencies, and corporate intellectual property are all fuelling the motivation for more cybersecurity information sharing. Earlier this year, US president Barak Obama signed Executive Order — “Promoting Private Sector Cybersecurity Information Sharing” to promote sharing information security threats within the private sector and between the US federal government and the private sector.
“It will encourage more companies and industries to set up organisations — hubs — so you can share information with each other. It will call for a common set of standards, including protections for privacy and civil liberties, so that government can share threat information with these hubs more easily. And it can help make it easier for companies to get the classified cybersecurity threat information that they need to protect their companies,” President Obama said at the Cybersecurity and Consumer Protection Summit at Stanford University.
The survey found, interestingly, when it comes to providing those data sharing standards and methods, among the organisations that do not collaborate, they reported the lack of sharing processes and standards as the things which were holding them back. The executive order hopes to change that with the creation of Information Sharing and Analysis Organisations (ISAO) that are broader in scope than the current and industry-specific Information Sharing and Analysis Centres (ISAC). The ISAOs will include cyber security sharing among specific industries as well as for specific geographies and security events as needed.
“Without effective information sharing, there is no way to know what is actually going on. We can never know if the grid is under attack, or what to do if it is. We can never know if it is just our own problem [within a single organisation] or something broader,” said Chris Blask, director of Webster University’s Cyberspace Research Institute.
If the busy history of data security breaches has taught us anything about cybersecurity, it is that enterprise security efforts certainly reduces the frequency of cyberattacks. And they may also mitigate the damage done by thieves and attackers, more often than not. But data breaches are bound to happen. Enter cyber insurance. While cyber insurance has been around for decades, and hasn’t managed to grow into more than a small niche: the idea is finally starting to take hold. Cyber security insurance is one of the fastest-growing segments in insurance. PwC forecasts the global cyber insurance market growth from 2.5 billion this year to $7.5 billion (€ billion) by 2020.
This year’s survey found that 59% of respondents have purchased some level of cyber insurance. Currently, such policies commonly cover data destruction, denial of service attacks, theft and extortion; they also may include incident response and remediation, investigation and cybersecurity audit expenses, other areas of coverage include privacy notifications, crisis management, forensic investigations, data restoration and business interruption.
Blask contends that cyber security insurance can, over time, help enterprises better manage cybersecurity risks. “One of the wonderful things about insurance is it can determine what’s good enough (security), and the actuarial process will provide the math to help determine what protective measures work and how effective they are. From the insurance perspective, they need to know what [level of risk] they’re getting into. That’s the entire conversation in insurance right now: how to make better decisions on the cyber security risks they’re accepting transfer of,” Blask says.
The survey also found that the long-term investment enterprises have made into security frameworks such as ISO 27001 and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework are paying off. Benefits respondents cited include: the ability to better and more quickly detect and mitigate security incidents (47%), better able to identify and prioritise risks (49%), sensitive data is more secure (45%), and a better understanding gaps in policy (37%).
In the end, all of these security efforts are about helping the enterprise to use technology to be more efficient and succeed. “Enterprises are looking for ways to be more agile, grow, and embrace the cloud more securely,” said Jim Reavis, executive director of the Cloud Security Alliance.
The survey found that a big part of moving forward securely is the use of security data analytics. A sizable 59% of respondents are using security data analytics to some extent, and many are citing improvements such as better understanding of external threats (61%), better understanding of internal threats (49%), and a better understanding of user behaviour (39%).
“I view security as a collection of security metadata, analysis of that metadata, and enforcement of policy,” said Shields. “Right now we’re at the stage where we’re increasing our collection of metadata. Drastically. We’re working on ways to get at continuous scans of our web applications so that we have that data always coming in. We can continually assess every endpoint on our traditional network and we can continually assess security enforcement or security metadata from our cloud providers,” he added.
“The next step for improvement is how we improve the analysis. That will be through automation, machine learning, and artificial intelligence,” said Shields.
George V Hulme, IDG News Service