2017: Another d'ej`a vu year?
Or will it be the year the security industry will finally implement changes?
Why is it every time there are security breaches, people sit with that niggling thought at the back of their minds that seems to be shouting: "But why am I seeing this same old thing again and again?"
Well, this d'ej`a vu can be attributed to the fact that security practitioners simply appear to be incapable of waking up to the notion that they cannot continue to approach security issues in the same old manner.
As the end of 2016 approaches, it might be a good time to take a minute and examine some of the security events of the past year, and see what there is to look forward to in 2017.
Information security, compliance and governance continue to be some of the hottest topics in the business technology arena, as more company board members are finally raising concerns in this area; a few have even allocated a budget to fight cyber security threats.
There is massive growth in the number of cyber attacks, resulting in costs to economies around the world to the tune of billions each year, regardless of the currency involved. These breaches not only cost money, but destroy reputations that impact on market confidence. Governments and regulatory bodies around the world are increasingly pressuring companies to comply with data security and privacy legislation. Local examples include the SA POPI Act and the recently released King IV.
So, there is more awareness, more discussion and more money being spent on combating threats, which should mean things are getting better, right?
Unfortunately, that is not the case. Data breach numbers are increasing at an incredible rate, ransomware attacks are growing and identity theft and invoice fraud is rife. Recently published reports reveal ransomware attacks on small and medium enterprises (SMEs) have grown by a staggering 800% in the last year. Paying the ransom does not guarantee the return of data, and poorly prepared businesses will take several days to recover - or not at all. For the SME, this could mean a total shutdown of business.
Two further surveys released in November by Ponemon Institute and BDO show 70% of security professionals are overwhelmed by the volume and complexity of threat intelligence data they are faced with every day. Only approximately 27% of security professionals share any form of threat intelligence details with colleagues or the market. Twenty-four percent of such professionals don't share intelligence with anybody, not even their C-level or board execs. An incredible 49% of respondents confirmed their IT teams do not even get intelligence reports. There are simply not enough skills and knowledge to handle the deluge.
Fuelling the fire
This lack of cyber security knowledge-sharing and awareness at board level, along with the severe shortage of skills, adds further fuel to the cyber threat fire.
A kick up the old security strategy derri`ere is required.
Yet, just about everybody continues to do things in the same way. Those responsible for cyber security stick to the script and do the same things every day. This is why battles are being lost while the war rages on. Security practitioners cannot continue to do the same things and expect different results.
Companies are engaged in a conflict for the security of their businesses and data, with an enemy that does not play by any rules. It seems guerrilla tactics change every week, but the victims are still defending the castle the same way, by continuing to do the same things over and over again. This means they will continue to take the pain, suffer the losses and carry on defending as they always have, without ever solving the problem.
Businesses are spending more money but ignoring everything until trouble has already started. Total prevention is impossible and absolute security is a myth - as long as people use the systems and interact with the data. So, as an increased budget for 2017 is being planned, my recommendation to companies, based on my many years of experience in this industry, is they must not throw good money after bad by doing more of the same old thing.
Shake it up!
2017 is the time for change. It is vital to have real and verifiable intelligence and respond to it. Detection is key in the modern fight against cyber crime. Gaining insight through real intelligence is critical; if companies don't have the resources internally, they should turn to a specialist company to do it for them. Take a new view of data and choose suppliers with the knowledge and visibility of threats that go beyond just the company's isolated network environment.
External threats are real - but without gaining visibility of insider threats, companies will continuously be on the back foot. Businesses have to know if there is a change in behaviour; they must be able to see and then react to anomalies.
Breaches cost time, money and reputation. It's time to change the way companies detect, manage and fight in 2017. Gain insight into changes, new software installations and strange movement of data. Put the fence up around the entire perimeter, no matter where the user sits. Companies cannot simply protect the branch office when a percentage of users access and work with data and systems remotely with a data card. Ongoing monitoring is key - but it must be done differently.
Quite frankly, a kick up the old security strategy derri`ere is required. Rethink the plot!
While total prevention is impossible, rapid detection and remediation prevents lateral movement and stops the damage before it spreads. This is enabled only by having visibility, threat intelligence and ensuring there is capability to respond. 2017 is the time to move beyond check-box security and compliance.
I look forward to ever-changing and constant cyber threats in 2017 just as much as I look forward to changing the way companies defend themselves and their customers, share intelligence with the good guys, and fight back.
John McLoughlin has been involved in leading technology solutions for over 15 years and is the founder and MD of the J2 Software group of companies. He is driven by a passion for information security and compliance-focused technology offerings. McLoughlin has consulted around ICT policies, enforcement, productivity improvement, cost reduction and data loss prevention to many organisations in South Africa and elsewhere on the African continent. Through his vision, J2 Software is a provider of globally leading technology solutions that fulfil real business needs and deliver competitive advantage to J2's customers.