IT security faces a crisis of confidence in 2017. Consumers’ awareness of companies’ cybersecurity capabilities has gone up as their faith has hit a low point. This can also be seen as an opportunity. Organizations can now differentiate based on trust and superior cybersecurity – if they can successfully navigate evolving threats. In this issue of CISO Beat, we examine how companies can protect themselves and their products in 2017.
The efficacy of nation-sponsored and organized criminal hacking groups has convinced companies of the fallibility of their information security systems. Cyber insurance is a critical hedge for companies standing to lose tens or hundreds of millions of dollars from a cyberattack. Policies are not a catch-all for risk, however. Just like medical insurers take into account pre-existing conditions and unhealthy behavior, insurers take the initiative to evaluate a company’s cyber risk and even declare some organizations uninsurable. Health insurer Anthem had trouble renewing its policies after a data breach in 2015. Even full coverage does not necessarily cover the entire cost of catastrophic breaches. The largest providers will not cover costs of more than $100 million; Target’s 2013 data breach cost the company $264 million.
Boom in cyber attack insurance predicted to gather pace https://t.co/dRbOfJJhA1
— Ben Beeson (@Botolph1) December 29, 2016
Many high-profile cyber attacks in 2016 involved technical ingenuity, but hackers also achieved innovations in methods of monetizing data breaches. Hackers targeted business partners including news wire services and legal firms to commit fraudulent trading. The most famous law firm hack, however, had no financial motivation. The Panama Papers data breach elevated hacktivism to an entirely new level. Morally-motivated hacking threatens organizations that might not otherwise consider themselves targets of sophisticated attackers.
Just saw this playbook from Deloitte. Fits well with my 2016 review as hacktivism as the top trend. https://t.co/KSOa6ClPLZ
— Dan Lohrmann (@govcso) December 28, 2016
When researchers hacked a car, it raised the profile of vulnerabilities in IoT devices. Then the Mirai botnet demonstrated how hackers could exploit vulnerable devices on a massive scale. Device makers so far have mostly neglected security, and consumers will start to feel the costs of these shortcomings in 2017. The IoT market perfectly illustrates how cybersecurity capabilities will enable business goals moving forward.
Sign of what's to come. Will all "smart device" manufacturers offer 24×7 support? Or just amass customers with bricked/ransomwared products? https://t.co/dIaYqdmRgG
— Mɪᴄʜᴀᴇʟ Cᴏᴀᴛᴇs (@_mwc) December 29, 2016
Few organizations are exempt from ensuring the cybersecurity of their products. Companies ranging from banks to Starbucks now compete based on the quality of their customer applications. Cloud hosting services offer better performance, value, and infrastructure-level security. In the process of moving applications to the cloud, however, companies may falsely assume cloud providers handle all aspects of security. The shared responsibility model applies to IaaS as well as SaaS, and IT security needs to audit application configurations and the behavior of administrators.
“Investigating CloudTrail Logs” by Ryan McGeehan https://t.co/jUFYLTJ3GL
— jamesbaud (@_jamesbaud_) December 22, 2016
IT security teams do not expect budget squeezes in 2017. They do need to demonstrate quantifiable risk reduction in order to justify spending. CISOs will look for tangible results from technology investments. False positives, in particular, can sink a security tool since professionals overwhelmed by alert fatigue ignore notifications. Cloud-based security tools offer ease of deployment that can produce results on a much quicker timetable than traditional software products. Budgets are already shifting in the direction of cloud, following overall IT workloads.
How to get more from your security budget | CSO Online https://t.co/x9kg2f1rQD
— Patrick C Miller (@PatrickCMiller) December 27, 2016