The world of cyber-security is a rapidly changing and ever evolving mixture of enabling technology and debilitating threats. Increasingly, we are seeing more sophisticated attackers using modern tools to
attack and penetrate dated and aging security protection systems to great avail. Below, you will find the top 5 security challenges companies will be facing in the coming year. Each of these alone can have significant impact on a company’s bottom line, its customers and employees. If there is one common thread to defending against these threats, it is taking a proactive approach to security day in and day out.
Cybercrime and Hacktivism
The rise of cybercrime can be seen almost nightly in newscasts around the world. Hackers target governments and corporations to steal data ranging from credit card numbers to personally identifiable information to either sell on the black market or gain notoriety for themselves or their cause. These attacks can be sophisticated, using modern tools and previously unannounced or newly found vulnerabilities that are difficult to stop. In other cases, hackers are targeting older systems that have been neglected from proper maintenance, patching and upgrade care. These systems quickly and silently fall, enabling a foothold inside an organization and allowing them to reach out to other internal systems. In either case, proactive action is the best defense. Security is a process that needs to be incorporated into all aspects of an organization. Increasing sophistication and collaboration between bad actors, who only need to be successful once, reinforces the need for organizations to view security as an ongoing process that requires buy-in from all levels and areas of their business. Proactive action can take many forms, from automated vulnerability scanning on weekly basis, to quarterly risk and threat assessments, to security architecture documentation and reviews. Through a continued, interrelated, and focused effort, security can become a process ingrained in an organization where by the unpredictable threats of the digital age can be defended and risk mitigated.
Compliance and Privacy
As the cyber security threat environment is in constant change, so too is the regulatory environment of which companies must demonstrate compliance. Compliance can come in several types, from government mandated regulation, to internal process and procedures, to customer contractual requirements. The demands on IT staff, employees, and partners for the safeguarding of Personal Identifiable Information (PII) is an ever growing concern. Penalties for data breaches can range from fines and lawsuits to loss of business. Further losses to the business can result from having to disclose data breaches, thereby reducing credibility and increasing costs to recover from the breach both internally and in the public’s eye. Companies are caught in the cross fire, on one side is an ever growing threat from hackers and on the other the ever increasingly complex regulatory environment. This complex environment spans far beyond IT security to now include legal, HR, C-level executives and the Board of Directors, all of which can be found liable for not doing enough to protect sensitive data. Once again, a proactive approach to security is your best defense. Defining standards for data collection, storage, retention and approved use removes confusion and limits accidental disclosures. Developing consistent data classifications, acceptable use policies, and repeatable processes and procedures will reinforce proper actions with your staff. This will reduce complexity and allow for more accurate monitoring and auditing of sensitive information inside an organization.
Partners and Third Party Providers
Through its ability to facilitate the sharing of information with partners and third parties, the Internet has brought tremendous gains in productivity but not without risk. Connections with partners and third parties can extend your network beyond your direct and immediate control, leaving you open to untold threats. Essentially, you are only as secure as your weakest link. This was aptly demonstrated by the attack on Target,
through one of its vendor’s web services application. The sharing of information, whether it is for accounts receivable / payable, inventory, professional services such as legal, HR, or other services, your security is dependent on their security. A trend that is growing and will continue to grow is an increasing importance on information security assurances with vendors, partners and third party providers. This can take the form of contractual obligations in order to secure online processing and data transfers, to the ability to perform audits of third party providers for compliance. To be successful this process must be uniform in its implementation and persistent in validating compliance. By being proactive with your information security practices, you can control your organization’s security posture, mitigate risks and enable greater productivity.
Mobile and Bring Your Own Device (BYOD)
From the ever present smart phone to tablets as powerful and flexible as laptops, mobile devices are changing the entire business landscape and redrawing the security perimeter. When it comes to mobile, the security challenges facing an IT staff is the demand for access, coming from all directions, from executives and professional staff, to entry level employees and contractors, all with different access needs and requirements. Accurately identifying and authenticating mobile users is just as critical as securing the data they are trying to access. Complicating this effort is the mixture of “bring-your-own-device” (BYOD) and corporate assets, each with a different level of security and control that is requesting access. Determining an appropriate set of business needs and acceptable use cases is the first step to getting control of the situation. Once an acceptable use is defined, determining how to identify and authenticate users and protect the data is paramount. Different data classifications will have different requirements based on regulatory, internal or contractual obligations. Proactive action to determine acceptable use and the security controls needed to
protect information will allow organizations to benefit from the increase in productivity mobile devices offers.
Complexity and Expertise
Security in layers can become overwhelming and complex. Getting the most out of any security product is a constantly changing process. Keeping up with the changes to your environment, business requirements, and industry direction can be difficult at the best of times and seemingly impossible at other times. Budgeting and head count often lag behind what is needed to meet the challenges of today. Even when you have budget
and head count, attracting the right talent at the right time is a struggle for most companies. The pace of new threats and vulnerabilities discovered can outstrip all but the largest information security organizations. On the other side, the pace of new security products is equally as frantic, not only products but also entirely new areas of information security are emerging to counter the ever growing threats. Add in the growing complexity of effectively managing all of this and you can see why most companies are at a significant disadvantage compared to the hackers that are targeting them. This complexity of environment and lack of the right expertise is as significant of a threat to companies as any of the above mentioned threats.
Securion: Your Trusted Partner
Today’s companies are falling victim to attacks that target physical and logical infrastructures, mobile platforms, user identities, network devices and more. The number of threats to company systems – and the security of precious data – is growing exponentially. Unfortunately, those threats are also becoming increasingly sophisticated in their efforts to undermine companies’ security provisions – so both the volume and the effectiveness of security threats are increasing. In fact, today’s malware and cybercrime attacks can be relentless in their attempts to exploit security vulnerabilities.
It doesn’t matter what size your business is anymore. If it’s of value to you, then it is valuable to criminals, too. Indeed, small and mid-sized businesses are increasingly being targeted because they represent a backdoor into larger enterprises and require fewer resources than do attacks against more sophisticated corporations. However, not all information-related issues can be dealt with by applying technology. If these systems are implemented incorrectly, the time and money spent on implementing the tools will have been wasted. Before procuring and deploying a technology product, it is critical that a company understand its risk profile, as well as its compliance and governance obligations. Once an organization has this understanding, it can bring together relevant stakeholders to craft appropriate policies and procedures. Technology supports effective policies and procedures; it does not replace them.
Securion was formed by a merger between two long standing security engineering and security architecture consulting companies. The driving force behind the merger was to create a single consulting company equipped to expertly handle all facets of information security. By leveraging a combined 26 years of security consulting experience at some of the largest companies in the world, Securion was assembled with the resources and the talent to achieve that goal. The engineering and architecture talent of the combined company enables Securion to focus on solutions to the most demanding and complex security challenges facing companies today.
Securion is set apart from the industry in our approach, in our solutions and our expertise. As a pure consulting firm that is vendor neutral, we are not beholden to any manufacturer or technology product. This is in contrast to value added resellers who only recommend products / solutions in their portfolios due to sales quotas, commissions and contractual obligations. Our advice and stewardship is focused on what is best for the client. This approach has been honed over decades of real world experience. Securion’s leadership team is comprised of industry veterans who have served in all roles (client, consultant and manufacturer), providing us with a wide perspective and deep insight in how to build a consulting firm that is effective and provides real value for our clients. In short, a true partner for the long term.