Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and other adversaries are compelled by financial gain, politics, and notoriety to steal or destroy an organization’s most valuable assets. Meanwhile, the cost of a breach is soaring. According to the Ponemon Institute, the average total cost of a data breach worldwide in 2014 was $3.5 million, up 15 percent over the previous year. Of course for some, like Sony, the costs are astronomical. How did the situation get so bad?
Attackers’ sophistication has skyrocketed. A new generation of criminals has honed its nefarious craft. Masters of targeting, criminals use social media, spear phishing, and watering holes to infect employees’ computers. On the Dark Web, the illicit side of the Internet, attackers purchase off-the-shelf malware installers to deploy a global attack in hours.
Asymmetry favors criminals. Organizations must protect thousands of employees and millions of customers or citizens, 24 hours per day, 365 days per year. Thousands of systems must be secured. A criminal only needs to find one vulnerability across these systems to gain a pernicious foothold. They have focus, we have complexity.
Criminal collaboration is global. Long gone are the days of the “lone wolf” hacker. A dark industry is flourishing. Undisclosed vulnerabilities are researched and sold. Attack tools are built, marketed and bartered—with money-back guarantees if the result is not delivered. Today, criminals meet with impunity by the hundreds of thousands in a virtual conference on the Dark Web sharing best practices and plotting their next move.
The technology businesses relied upon to protect themselves ten years ago are not up to the task today. Perimeter and anti-virus security investments are failing to protect against well-armed, sophisticated criminals collaborating on a global scale.
So, is cybersecurity a lost cause for businesses and governments? At IBM, we don't think so. A relentless focus on risk-based security, new approaches, new technologies, and shared defense is already changing this picture for leading organizations and businesses. Here are some of the things we think should be done based on our experience with these businesses.
Assume a perimeter breach. Forget the notion that the “castle walls” of perimeter firewall and sandbox technologies prevent the bad guys from getting into an enterprise network. They don't (ask the retailer Target—they had both). However, infection does not equal business loss. Leveraging analytics, network activity monitoring, database monitoring and behavioral controls allows the detection and cessation of suspicious activity before significant business losses occur.
Obsess over crown jewels. Assuming your perimeter has been breached, invest in a disproportionate amount of protection around your intellectual crown jewels (e.g., that unreleased movie, new design, or patient data). At IBM, we call it the Crown Jewels strategy. Where are the critical assets of your business? What unique protections are in place for them? Deploy tight access management, zero-day malware detection, privileged identity software, database activity monitoring and application security controls to lock these jewels down.
Prioritize investments where the risk is. This is obvious, but it is not happening. IBM's X-Force 1Q 2014 research report showed that 33 percent of vulnerability disclosures in 2013 were in web apps. Yet, while companies see the most risk in the application layer, they invest significantly more in network layer technologies where they perceive risk to be lower. Successful security leaders doggedly pursue application security practices and secure design principles as core to their programs.
Get help. The IT departments of movie studios must face down a nation state? Retailers must keep global hoards of organized criminals at bay? IT departments and retailers cannot do this alone. At IBM, our Trusteer team has pioneered a collective defense strategy to help banks protect their customers. This technology detects and blocks bank fraud and dynamically adjusts to new attack techniques based on cloud intelligence—aggregated by monitoring hundreds of other banks. If more is needed, our security researchers—with first-hand experience combating attacks against banks all over the world—engage in real-time to help the victim.
Share. This includes sharing anonymized information about security breaches so that anti-crime government agencies can alert others to the danger. It means utilizing integrated tools that share information across solutions to improve the ability to detect and respond to threats. Finally, it means sharing knowledge with other trusted parties in your industry.
Embrace cloud and mobile. The combination of cloud and mobile will be game changing for security—and in a very good way. The benefits of using cloud and mobile are obvious to everyone in business these days—it’s all about speed in getting access to computing power and data wherever you are. It’s these same attributes that make some wonder how they can be more secure. The answer is simple. Cloud and mobile platforms actually centralize so many control and access points for businesses that securing them is easier by design. This centralized design makes it easier to control who accesses what data, how they access it, and when they access it.
Be honest. Finally, recognize how bad it might be for your organization or business. Evaluate where the organization has skill gaps and work with trusted security partners to comprehensively determine your security posture and a path to improve it.
Cybersecurity swings like a pendulum. When protections are put in place, criminals will work tirelessly to get past them. If they do, organizations must develop new techniques to pull the pendulum back. Right now, because of rapid acceleration in the capability of attackers, the pendulum is has swung in the bad guys’ favor. However, an increased focus by business leaders on risk, collective defense strategies, and new technologies like cloud and mobile computing will allow companies to pull the pendulum back in theirs.