IT security faces a crisis of confidence in 2017. Consumers’ awareness of companies’ cybersecurity capabilities has gone up as their faith has hit a low point. This can also be seen as an opportunity. Organizations can now differentiate based on trust and superior cybersecurity – if they can successfully navigate evolving threats. In this issue of CISO Beat, we examine how companies can protect themselves and their products in 2017.

The efficacy of nation-sponsored and organized criminal hacking groups has convinced companies of the fallibility of their information security systems. Cyber insurance is a critical hedge for companies standing to lose tens or hundreds of millions of dollars from a cyberattack. Policies are not a catch-all for risk, however. Just like medical insurers take into account pre-existing conditions and unhealthy behavior, insurers take the initiative to evaluate a company’s cyber risk and even declare some organizations uninsurable. Health insurer Anthem had trouble renewing its policies after a data breach in 2015. Even full coverage does not necessarily cover the entire cost of catastrophic breaches. The largest providers will not cover costs of more than $100 million; Target’s 2013 data breach cost the company $264 million.

Data Breach Response Checklist

Download this checklist to learn how to prepare an effective incident response plan before a breach occurs.

Download Now

Many high-profile cyber attacks in 2016 involved technical ingenuity, but hackers also achieved innovations in methods of monetizing data breaches. Hackers targeted business partners including news wire services and legal firms to commit fraudulent trading. The most famous law firm hack, however, had no financial motivation. The Panama Papers data breach elevated hacktivism to an entirely new level. Morally-motivated hacking threatens organizations that might not otherwise consider themselves targets of sophisticated attackers.

When researchers hacked a car, it raised the profile of vulnerabilities in IoT devices. Then the Mirai botnet demonstrated how hackers could exploit vulnerable devices on a massive scale. Device makers so far have mostly neglected security, and consumers will start to feel the costs of these shortcomings in 2017. The IoT market perfectly illustrates how cybersecurity capabilities will enable business goals moving forward.

Few organizations are exempt from ensuring the cybersecurity of their products. Companies ranging from banks to Starbucks now compete based on the quality of their customer applications. Cloud hosting services offer better performance, value, and infrastructure-level security. In the process of moving applications to the cloud, however, companies may falsely assume cloud providers handle all aspects of security. The shared responsibility model applies to IaaS as well as SaaS, and IT security needs to audit application configurations and the behavior of administrators.

 

IT security teams do not expect budget squeezes in 2017. They do need to demonstrate quantifiable risk reduction in order to justify spending. CISOs will look for tangible results from technology investments. False positives, in particular, can sink a security tool since professionals overwhelmed by alert fatigue ignore notifications. Cloud-based security tools offer ease of deployment that can produce results on a much quicker timetable than traditional software products. Budgets are already shifting in the direction of cloud, following overall IT workloads.