IT security – in all its forms – has been a major cause of sleepless nights amongst IT industry professionals for as long as anyone can remember. For most of that time engaging other areas of business in the potential risks associated with data loss has been an uphill struggle. That’s now changing and here’s why. In a business environment where being better connected confers many advantages, the reality of securing an IOT-enabled, fully networked world is becoming apparent.
2015 saw some high-profile breaches. Hacks like TalkTalk and Ashley Madison are making senior management ask themselves: how do you make sure it doesn’t happen to you? At the same time a concerted effort on the part of the government has undoubtedly raised awareness. Cyber is now considered amongst the biggest threats to UK businesses and the government initiative, Cyber Essentials, has sought to improve understanding of what it takes to secure an enterprise. Here are my predictions for the security trends we will be seeing more of in 2016.
[easy-tweet tweet=”Cyber is now considered amongst the biggest threats to UK businesses” user=”achrispace” hashtags=”cybersec”]
Internal and external – it’s all security
Forget the old demarcation between insider threats and external attacks. 2016 should be the year we stop categorising the difference between the two. The biggest challenge for the year ahead will be joining up traditional perimeter defences with better protection against attacks from the inside.
Cloud customers: internal security measures should be top priority
Gartner has predicted that 95% of cloud security failures will be the customer’s fault and more specifically, are attributable to poor internal security practices. Being able fully to trace and managed the internal movement of data isn’t just going to be important if you have a cloud provider.
It makes security sense too. If you look at the most high-profile hacks of recent years, weak internal defences are the common denominator. After the initial breach, when there are few internal barriers, lateral movement and therefore damage is easy. Strengthening internal access provision isn’t just a cyber threat deterrent; it prevents the likelihood of data breach from insiders, which actually accounts for the majority of data breaches. In 2016 we will have another reason too – complying with EU’s GDPR will require a review of how data is stored, processed and moved.
Mitigating the risk of attack…through insurance
If your firm is considering a cyber insurance policy, you are not alone.
If your firm is considering a cyber insurance policy, you are not alone. Cyber is now considered the biggest threat to UK businesses and the meteoric rise of the cyber insurance market is proof of that demand. Paying an insurance company to share some business risk makes good commercial sense. But be warned, putting a cyber-premium in place does not guarantee a payout should a breach occur unless all required security measures are enforced. According to a study we conducted, around half of IT pros weren’t able to tell if necessary security software updates were being made successfully, or if ex-employees or contractors still had access to the systems. Better, instead, focus on getting some of these basic security measures in place and ensuring the IT department is involved in any decision making regarding a cyber policy from the start.
Focus on the people, not just the tech
CISOs under pressure to provide impermeable defences against external threats may be relieved to hear current thinking suggests that enterprise security should be managed holistically, i.e., by the IT department working in conjunction with other business areas, like HR. Organisations may be missing ‘predictable behaviour cues’ that would presage a hack. In the holistic model, the IT department provides the IT security tools and the HR department provides the appropriate processes and procedures that need to be followed, as well as creating a necessarily more ‘vigilant’ culture.
To put it into a real-life context, what’s the chance that this Christmas bonus season a disappointed worker starts to behave in a way that demands closer scrutiny?
[easy-tweet tweet=”If #cybercrime is the number one threat to UK business, why are there so few #technology experts at board-level?” via=”no” usehashtags=”no”]
IT security needs to come out of the shadows
TalkTalk is still counting the cost of its attack.
TalkTalk is still counting the cost of its attack. Expect to hear more analysis of the breach in 2016, for instance, when CEO Dido Harding goes before a House of Commons Select Committee for a (very public) grilling. Perhaps the most important lesson from TalkTalk is the importance of having strong, IT-literate leadership. If cybercrime is the number one threat to UK business, why are there so few technology experts at board-level? TalkTalk should be the battering ram security professionals use to open up the C-suite over the next 12 months.
This festive season, that’s something we can all raise a glass to.
Chris Pace, Head of Product Marketing, Wallix UK
Chris works for Wallix to engage and educate audiences on privileged user management, using his extensive experience delivering security solutions to all kinds of organisations. Before beginning a career in information security Chris trained as a broadcast journalist and also has worked in IT departments in the public and private sectors. He authors a blog looking at the issues around privileged user management and insider threat management.