2014 has seen a steady cadence of major breaches in the news. Unfortunately, this falls directly in line with one of our major threat predictions made in Q4 2013. Government, retail, financial, healthcare and even medical equipment manufacturing companies have been in the cross hairs of targeted attacks. The ratio of companies being breached by cyber criminals and their respective syndicates versus hackers being brought to justice is completely askew. What is behind this phenomenon? The world is truly flat for cybercriminals and nation-state actors. As one of our top-tier threat researches like to say, “Packets don’t have passports.” This makes defending against and ultimately bringing cyber criminals to justice that more difficult. Attribution in cyber is like an episode of CSI on anabolic steroids.
As IT and security professionals, we are all doing our best to fight the good fight against what seems like a relentless barrage of attempts to saturate our infrastructures with malware and attack behaviors designed to steal our sensitive data. At the end of the day, it truly is all about the data and ensuring we have the proper data classification levels for the requirements of our businesses. Subsequently, we then must deploy cost effective infrastructure and security protocols to comply with the data security standards we impose on ourselves in addition to other mandatory regulatory compliance such as the Payment Card Industry (PCI). Without proper data classification, organizations either have to protect everything like it is top secret, which isn’t practical or protect everything generically. This certainly is also not advisable as it increases risk to your organization. Unfortunately, many organizations fall on the latter half of this equation. In our latest threat roundup, we analyze how cybercriminals are cashing in on digital information and what methods they are leveraging to take down their targets. At the end of the day, it is about implementing a risk model that makes sense for your organization. I often use the term Risk Balance when discussing Risk Management. Simply because we all must make decisions regarding information security with the concept of balancing investment and risk if/when our data assets are compromised.
With the Internet of Everything, we are seeing an unprecedented explosion of connected devices. We are moving so quickly with IT transformation in the form of virtualization and cloud, mobility and big data. Often data security gets overlooked when analyzing all aspects of enterprise architecture. This can be due to budget, timeline or lack of awareness of tools and capabilities to assist with your IT projects. Zachman’s Enterprise Architecture framework has data as its first major pillar for enterprise architecture. Many organizations are recognizing this as a major component of their strategy and putting data protection at the top of their strategic initiatives. Gartner recently reported on the increase in the number of global Chief Data Officers (CDO). These positions are on the rise and becoming extremely important as a peer to the CIO and the CISO. Like Gartner, I believe collaboration on data requirements and processes between this triad of senior level IT/Security leaders will be paramount. CISO’s have assumed many aspects of what used to be called the CRO (Chief Risk Officer). They will be working with the CDO to quantify and measure cyber risk and be tasked to protect the data by figuring out the right levers to pull when it comes to investing in people, process and technology to facilitate their organizations requirements. All three will be working to ensure the CEO and the Board of Directors is armed with enough intelligence about the risk of targeted attacks and the repercussions for the organization. This will help quantify why investments must be made to balance the risk.
In summary, each of our enterprises is different. Pain varies from organization to organization when they feel the impact of a targeted attack. The fact of the matter is it still hurts to be compromised. IT and security professionals over the last 10 years have been designing, implementing and testing disaster recovery plans. Cyber disaster in the form of a targeted attack, DDOS (Distributed Denial of Service) campaign or some other business-impacting event must be expected in this day and age of sophisticated targeted attacks. Look for security organizations that can assist in designing risk balance into your security operations. Every business has a unique outlook on their requirements and data handling and they want an organization that can help facilitate technology implementation and adoption to support this custom viewpoint. Being a Threat Defense Expert not only means you have many years in analyzing the latest threats and attacks but it also means you have a keen understanding of business requirements when implementing security solutions to protect the business. Gain transparency into frequency and sophistication of targeted attacks today by partnering with the Threat Defense Experts.