When it Comes to Information Security, 100 Percent Protection is Unattainable
As we enter 2018, it is a good time to reflect on what happened in cyber security last year. The learnings from the past 12 months can help us set a clear path for minimizing the risk of succumbing to data breaches in the New Year. In 2017, the news headlines were dominated by global ransomware attacks such as WannaCry and NotPetya, a growing number of new vulnerabilities (i.e., KRACK, WordPress, ROCA), and massive breaches such at Verizon, Equifax, and Uber. Considering the scale and sophistication of these attacks, many organizations need to revisit their security strategies in order to limit their exposure to cyber threats in 2018.
According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. Meanwhile we’re experiencing a continuous increase in security incidents, which raises doubts about the effectiveness of these investments. When conducting post-mortem analysis of the data breaches that occurred in 2017, it becomes apparent that many of these big breaches can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of known vulnerabilities, and lack of security measures for protecting sensitive data.
Instead of earmarking security investments for bolstering traditional perimeter defenses, which is a losing battle, organizations need to return to the essentials of cyber security. In doing so, they can improve their security posture and limit exposure to data breaches. Focusing on the following three areas will provide greatest return on security investments in 2018.
Undeniably, data is the prime target for attackers. Therefore, protecting data so it cannot be exfiltrated or modified, makes preventing network breaches less critical. Unfortunately, data is often left unsecured. For example, a quick web search for “data breach and unencrypted data” produces thousands of results that illustrate how many organizations fail to protect the integrity of their data and don’t even encrypt sensitive information.
The first step to assure data integrity, is to classify data into categories that reflect the business need to protect them, such as “public”, “internal use”, “confidential”, and “top secret”. Unfortunately, data classification is often abandoned due to the manual efforts required to maintain an up-to-date inventory amid constantly changing nature information. However, some cyber risk management systems provide dynamic grouping capabilities with drag and drop capabilities that can automate the realignment of data classifications and propagate changes to all associated nodes.
Data classification will subsequently determine what data should be encrypted, which typically applies to all personal identifiable information (PII). Innovations in encryption technology over the past few years have eliminated many of the previous performance and deployment roadblocks. Organizations should place special emphasis on developing well-documented and implemented encryption policies for protecting sensitive data, wherever it resides and however it is transmitted.
Access control is the Achilles heel of many security programs, since practitioners must balance data availability with measures that prevent unauthorized usage (e.g., theft, disclosure, modification, destructions). Meanwhile, hackers often target privileged users since their accounts provide a beachhead into the entire network. Therefore, strict enforcement of well-defined access control policies and continuous monitoring of access paths to ensure they are working as intended are essential for the success of data integrity initiatives.
As part of a modern identity management model, organizations should consider transitioning to a Zero Trust model, that operationalizes the “never trust, always verify” principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets.
Effective prioritization of vulnerabilities and incidents is essential to staying ahead of attackers.
While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from the data. To achieve this, internal security data needs to be correlated with its business criticality and external threat intelligence to derive the real risk exposure to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business.
When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity, identity management, and risk-based prioritization principals, organizations can significantly reduce their exposure to Uber scale data breaches in 2018.